Google Cloud Platform

This chapter describes the procedure to establish a Site-to-Site IPsec tunnel between your Harmony SASE network and Google Cloud Platform (GCP).

Prerequisites

  • An active Harmony SASE Administrator Portal account and network.

  • Make sure you have installed the Harmony SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

Step 1 - Configurations in the GCP Console

Creating a Virtual Private Gateway

  1. Access the GCP console and go to Network Connectivity.

  2. In the left menu, click VPN.

  3. Click Cloud VPN Gateways > Create VPN gateway.

  4. Click the link to create Classic VPN.

  5. Enter these:

    1. Name - Name of the gateway.

    2. Network - Select default or a specific VPC.

    3. Region - Select the region where your resources are located.

    4. IP address - Create an IP address to connect your gateway and click Reserve.

Creating a Tunnel

  1. Access the GCP console and go to Network Connectivity.

  2. In the left menu, click VPN.

  3. Click Cloud VPN Tunnels > Create VPN tunnel.

  4. Enter these:

    1. Name - Name of the tunnel.

    2. Remote peer IP address - IP address of your Harmony SASE Gateway.

      To obtain this, go to the Harmony SASEAdministrator Portal > Networks and select the network that contains the gateway to which you wan to create a tunnel.

    3. IKE Version - IKEv2

    4. IKE pre-shared key - Click Generate and copy or select a key of your own and note it down.

    5. Routing options - Route-based

    6. Remote network IP ranges - 10.255.0.0/16 (unless customized)

  5. Click Done and then Create.

Configuring the Routing Rules to the VPC Network

  1. Access the GCP console and go to the VPC Network section.

  2. In the left menu, click Routes.

  3. Click Create Route Rule.

  4. Enter these:

    1. Name - Name of the VPN gateway.

    2. Network - Select the VPC network that contains the instances served by the VPN gateway. This must be the same network selected in the previous steps.

    3. Destination IP range - 10.255.0.0/16 (or customized)

    4. Priority - 1000

    5. Next hop - Select Specify VPN Tunnel.

    6. Next hop VPN tunnel - Select the VPN tunnel you created in the previous steps.

  5. Click Create.

Allowing Incoming Connections from Harmony SASE Local Network Using Firewall Rules

  1. Access the GCP console and go to the VPC Network section.

  2. In the left menu, click Firewall rules.

  3. Click Create Firewall Rule.

  4. Enter these:

    1. Name - Name of the rule.

    2. Logs - Off

    3. Network - Select the VPC network that contains the instances served by the VPN gateway. This must be the same network selected in the previous steps.

    4. Priority - 1000

    5. Direction of traffic - Ingress.

    6. Action on match - Allow

    7. (Optional) Target tags

    8. Source filter - IP ranges

    9. Source IP ranges - 10.255.0.0/16 (unless customized)

    10. Second source filter - None

    11. Protocols and ports - Allow all

Step 2 - Creating the Tunnel in the Harmony SASE Administrator Portal

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In the required gateway, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Click Single Tunnel and click Continue.

    The IPSec Site-2-Site Tunnel window appears.

  6. In the General Settings section, enter these:

    1. Name - Name of the tunnel.

    2. Harmony SASE Gateway Proposal Subnets - Any (0.0.0.0/0)

    3. Remote Gateway Proposal Subnets - Any (0.0.0.0/0)

  7. In the Advanced Settings section, enter the information for your tunnel type:

    Field

    IKE Version

    IKE Lifetime

    Tunnel Lifetime

    Dead Peer Detection Delay

    Dead Peer Detection Timeout

    Encryption (Phase 1)

    Encryption (Phase 2)

    Integrity (Phase 1)

    Integrity (Phase 2)

    Diffie Hellman Groups (Phase 1)

    Diffie Hellman Groups (Phase 2)

    Cloud Vendor

    Amazon AWS

    Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Google Cloud Platform

    Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Redundant Tunnels

    		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21

    21
    Microsoft Azure  

    Single Tunnel -

    Azure Virtual Network Gateway

    V2

    3600s

    27000s

    10s

    45s

    		 aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual Network Gateway

    V2

    9h

    9h

    		 10s 30s aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual WAN

    V2

    8h

    		 1h 10s 30s aes256 aes256

    sha256

    sha256

    14

    14

    Other tunnel types

     
    Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 2 2

    IBM Cloud

    V1

    		 8h 1h 10s 30s aes256 aes256

    sha256

    sha256

    21

    21

    1 Suggested values. For other supported ciphers, see this Google article.

  8. Click Add Tunnel.