IBM Cloud

Prerequisites

  • An active Harmony SASE Administrator Portal account and network.

  • Make sure you have installed the Harmony SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

Step 1 - Configuring a VPN Gateway at the IBM Cloud Console

  1. Access the IBM Cloud Console and open the VPC section and go to Network > VPNs.

  2. Go to the IKE policies tab and click New IKE policy.

  3. The New IKE policy window appears.

  4. Enter these:

    1. Name - Name of the policy.

    2. Resource group

    3. Region - Region in which the VPC is located.

  5. Click Create IKE policy.

    The system creates the IKE policy.

  6. Click and then Edit.

  7. Enter these:

    1. IKE Version - 1

    2. DH Group - 2

    3. Authentication - sha256

    4. Key Lifetime - 28800

    5. Encryption - aes256

  8. Click Save IKE policy.

  9. Go to the IPSec Policies tab and click New IPSec Policy.

    The New IPSec policy window appears.

  10. Enter these:

    1. Name - Name of the policy.

    2. Resource group

    3. Region - Region in which the VPC is located.

  11. Click Create IPSec policy.

    The system creates the IPSec policy.

  12. Click and then Edit.

  13. Enter these:

    1. Authentication - sha256

    2. Encryption - aes256

    3. PFS - Select the checkbox.

    4. DH Group - 2

    5. Key Lifetime - 3600

  14. Click Save IPSec policy.

  15. Go to the VPN gateways tab and click New VPN gateway.

    The New VPN gateway for VPC window appears.

  16. Enter these:

    1. Name - Name of the VPN gateway.

    2. Virtual private cloud - Select the required cloud.

    3. Resource group - Select the resource group.

    4. Subnet - Select the required subnet.

  17. Select New VPN Connection for VPC.

    The New VPN connection for VPC window appears.

  18. Enter these:

    1. Connection name - Name of the VPN connection.

    2. Peer gateway address - IP address of your Harmony SASE gateway.

    3. Preshared key - A string with at least 8 characters that contains upper-case letters and numbers.

    4. Local subnets - Specify one or more subnets in the VPC you want to connect.

    5. Peer subnets - 10.255.0.0/16 (Unless you have custom configurations or multiple tunnels to the same Harmony SASE gateway).

    6. Dead peer detection action - Restart

    7. Interval - 10 seconds

    8. Timeout - 30 seconds

    9. IKE policy - Select the IKE policy created earlier.

    10. IPSec policy - Select the IPSec policy created earlier.

Step 2 - Creating the Tunnel in the Harmony SASE Administrator Portal

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In the required gateway, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Click Single Tunnel and click Continue.

    The IPSec Site-2-Site Tunnel window appears.

  6. In the General Settings section, enter these:

    1. Name - Name of the tunnel.

    2. Public IP - IP address of the VPN Gateway defined in the IBM Cloud console.

    3. Remote ID - Identical to Remote IP.

    4. Shared Secret - Preshared key in the IBM Cloud console.

    5. Perimeter 81 Gateway Proposal Subnets - 10.255.0.0/16 or the value defined in the IBM Cloud console.

    6. Remote Gateway Proposal Subnets - Subnets in the VPC that you want to connect.

  7. In the Advanced Settings section, enter the information for your tunnel type:

    Field

    IKE Version

    IKE Lifetime

    Tunnel Lifetime

    Dead Peer Detection Delay

    Dead Peer Detection Timeout

    Encryption (Phase 1)

    Encryption (Phase 2)

    Integrity (Phase 1)

    Integrity (Phase 2)

    Diffie Hellman Groups (Phase 1)

    Diffie Hellman Groups (Phase 2)

    Cloud Vendor

    Amazon AWS

    Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Google Cloud Platform

    Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Redundant Tunnels

    		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21

    21
    Microsoft Azure  

    Single Tunnel -

    Azure Virtual Network Gateway

    V2

    3600s

    27000s

    10s

    45s

    		 aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual Network Gateway

    V2

    9h

    9h

    		 10s 30s aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual WAN

    V2

    8h

    		 1h 10s 30s aes256 aes256

    sha256

    sha256

    14

    14

    Other tunnel types

     
    Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 2 2

    IBM Cloud

    V1

    		 8h 1h 10s 30s aes256 aes256

    sha256

    sha256

    21

    21

    1 Suggested values. For other supported ciphers, see this Google article.

  8. Click Add Tunnel.

Verifying the Setup in IBM Cloud Console

  1. Access the IBM Cloud console and go to the VPN gateways tab.

  2. Select the name of the VPN Gateway associated with the tunnel.

  3. Scroll down and click View all connections.

    Verify whether the tunnel Status as active.