Tunnels

Tunnels are encrypted secure connections between the Harmony SASE gateway and your SD-WAN device (on-premises or cloud) on your network. You can connect all your branches to a network using a single or multiple tunnels.

Harmony SASE supports three types of tunnels:

• IPSec Site-2-Site VPN Tunnel

• WireGuard Connector Tunnel

• OpenVPN Tunnel

IPSec Site-2-Site VPN Tunnel

IPSec (IP Security) is a protocol suite designed to secure data communication over IP networks to ensure integrity, confidentiality, and authentication. It uses the IKE VPN protocol to establish a secure communication between networks. An IPSec tunnel connects your Harmony SASE gateway with your local network.

You can configure either a single IPSec Site-2-Site VPN tunnel or redundant tunnels.

With a single tunnel, all the traffic is routed through this tunnel.

With redundant tunnels, traffic is routed through multiple tunnels. This offers high network availability, redundancy, better performance by routing traffic to the closest tunnel.

Best Practice - For redundancy, we recommend that you deploy the gateways in different regions depending on users' location.

WireGuard Connector Tunnel

WireGuard Connector is a fast and modern VPN that utilizes state-of-the-art cryptography. It is designed as a general-purpose VPN to run on embedded interfaces and super computers alike.

This shows an example of tunnel usage in a network.

This table shows a comparison between Wireguard connector and IPSec tunnels.

OpenVPN Tunnel

The OpenVPN protocol creates secure and private site-to-site connections using the SSL encryption. It is suitable in these scenarios:

• Incompatible operating system. For supported operating systems, see Downloading and Deploying the Harmony SASE Agent.

• You want to create a dedicated Harmony SASE connection with a single machine.

• The device does not support the Harmony SASE Agent.

Caution - The OpenVPN tunnel does not offer advanced security as the agent, such as Split Tunneling, DNS Filtering, Configuration Profiles, Firewall, Activity, SWG, DPC, and Single Sign-On.

Internal Network Subnet

The Harmony SASE SASE network is designed according to internationally acknowledged standards and follows the RFC conventions regulated by the American internet authorities. To successfully incorporate Harmony SASE in your architecture, make sure that:

1. Your internal network follows industry-accepted design patterns.

2. Virtual Private Cloud (VPCs) or Data Centers (DC) with overlapping subnets do not reside in the same network.

3. Your Harmony SASE network subnet does not overlap with your network subnet.

4. (Highly Recommended) All subnet masks are either class B or C.

5. (Recommended) Your internal network has a static public IP.

   Caution - 192.168.1.0/24 and 10.0.0.0/24 are the most commonly used subnets for IoT applications. If you connect to a site with this CIDR from a typical home location, it causes an IP conflict. Use 192.168.81.0/24 or 10.81.0.0/24 as the subnet to connect your site to Harmony SASE.