Azure Virtual Network Gateway

Prerequisites

  • An active Harmony SASE Administrator Portal account and network.

  • Make sure you have installed the Harmony SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

Step 1 - Configurations in the Azure Management Portal

Creating a Gateway Subnet

  1. Access the Azure Management Portal and go to Virtual networks.

  2. Click the virtual network to which you wan to create the gateway and click Subnets.

  3. Click + Gateway subnet. The system populates the subnet name as Gateway subnet by default.

  4. (Optional) Adjust the auto-filled Address range values. This subnet is used for the Virtual Gateway only.

    If this range is not auto-filled:

    1. Go to address space and click +Add.

    2. Select a random /27 bit mask subnet space. For example, 10.1.255.0/27.

Creating a Virtual Network Gateway

  1. Access the Azure Management Portal and click +Create a resource.

  2. Search for Virtual Network Gateway and click it in the search results.

  3. Click Create.

  4. The Create virtual network gateway window appears.

  5. Enter these:

    1. Name - Name of the gateway.

    2. Region - Region where your resources are located.

    3. Gateway type - VPN.

    4. SKU - Select the gateway SKU from the list. The SKUs listed depends on the selected VPN.

    5. Virtual network - The Virtual network that contains the resources you want to reach through the tunnel.

      The Choose a virtual network page appears.

      Note - If you do not see your VNet, make sure your virtual network is located in the selected Region.

    6. Subnet - Subnet range for your virtual network.

      This setting appears only when you create a gateway subnet for your virtual network for the first time.

    7. Public IP address - Click Create New or choose an existing IP used by your organization.

    8. Enable active-active mode - Disabled.

    9. Configure BGP - Disabled.

    10. Click Review+create.

      The system starts to create the VPN gateway and it may take up to 45 minutes to complete.

Creating a Local Network Gateway

  1. Access the Azure Management Portal and click +Create a resource.

  2. Search for Local network gateway and click it in the search results.

  3. Click Create.

    The Create local network gateway page appears.

  4. Enter these:

    1. Name - Name of your gateway.

    2. IP address - IP address of your Harmony SASE gateway.

    3. Address Space - Harmony SASE subnet.

      Make sure that these ranges do not overlap with other networks' ranges that you want to connect to.

    4. Subscription - Verify that the value is correct.

    5. Resource Group - Select the resource group that you want to use. Create a new resource group or select one that you have already created.

    6. Location - Select the location where this object is created.

      (Optional) Select the location in which your Virtual Network resides.

    7. SKU - Select the gateway SKU from the list. The SKUs listed depends on the selected VPN.

  5. Click Create.

Creating the IPSecTunnel Connection

  1. Access the Azure Management Portal and go to your Virtual Network Gateway page.

  2. Go to Settings and click Connections.

  3. Click +Add.

    The Create connection window appears.

  4. In the Basics tab, enter these:

    1. Connection type - Site-to-site (IPSec).

    2. Name - Name of the connection.

  5. Click Next: Settings >.

    The Settings tab appears.

  6. Enter these:

    1. Virtual network gateway - IP address you receive from Azure. The value is static.

    2. Local network gateway - Local network gateway (your Harmony SASE network address) which you have created. The value is static.

    3. Shared Key (PSK) - Create a unique key value. This must match with the key value used for the Harmony SASE tunnel.

    4. IKE Protocol - IKev2.

    5. DPD timeout in seconds - 30

  7. Click Review + Create to create your connection.

  8. Select the connection you just created and click configuration.

    The Configuration window appears.

  9. Enter these:

    1. IPsec / IKE policy - Select Custom and use these values to align with the values set in Harmony SASE tunnel settings.

      1. Encryption - AES256

      2. Integrity/PRF - SHA1

      3. DH Group - DHGroup2

      4. IPsec Encryption - AES256

      5. IPsec Integrity - SHA1

      6. PFS Group - PFS2

      7. IPsec SA lifetime in KiloBytes - 102400000

      8. IPsec SA lifetime in seconds - 27000

  10. Go to Overview > Download configuration.

  11. Enter these:

    1. Device vendor - Generic Samples

    2. Device family - Device Parameters

    3. Firmware version - 1.0

  12. Click Download Configuration.

    The system downloads the configuration file.

Step 2 - Creating the Tunnel in the Harmony SASE Administrator Portal

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In the required gateway, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Click Single Tunnel and click Continue.

    The IPSec Site-2-Site Tunnel window appears.

  6. To automatically populate the tunnel configuration values, in the General Settings section, click Upload File and upload the configuration file downloaded from the Azure Management Portal.

  7. For manual configuration, in the General Settings section, enter these:

    1. Name - Name of the tunnel.

    2. Shared Secret - Shared secret you set in the Azure Management Portal.

    3. Public IP - Public IP address of the Azure Virtual network gateway.

    4. Remote ID - Remote ID of Azure Virtual network gateway.

    5. Perimeter 81 Gateway Proposal Subnets - Any (0.0.0.0/0).

    6. Remote Gateway Proposal Subnets - Any (0.0.0.0/).

  8. To enter the details in Advanced Settings section, open the configuration file downloaded from the Azure Management Portal and refer the

    [2] IPsec/IKE parameters.

  9. Enter the information for your tunnel type:

    Field

    IKE Version

    IKE Lifetime

    Tunnel Lifetime

    Dead Peer Detection Delay

    Dead Peer Detection Timeout

    Encryption (Phase 1)

    Encryption (Phase 2)

    Integrity (Phase 1)

    Integrity (Phase 2)

    Diffie Hellman Groups (Phase 1)

    Diffie Hellman Groups (Phase 2)

    Cloud Vendor

    Amazon AWS

    Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Google Cloud Platform

    Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Redundant Tunnels

    		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21

    21
    Microsoft Azure  

    Single Tunnel -

    Azure Virtual Network Gateway

    V2

    3600s

    27000s

    10s

    45s

    		 aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual Network Gateway

    V2

    9h

    9h

    		 10s 30s aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual WAN

    V2

    8h

    		 1h 10s 30s aes256 aes256

    sha256

    sha256

    14

    14

    Other tunnel types

     
    Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 2 2

    IBM Cloud

    V1

    		 8h 1h 10s 30s aes256 aes256

    sha256

    sha256

    21

    21

    1 Suggested values. For other supported ciphers, see this Google article.

  10. Click Add Tunnel.

Verifying the VPN Connection in the Azure Management Portal

  1. Access the Azure Management Portal and go to your Virtual Network Gateway page.

  2. Go to Settings and click Connections.

  3. In the connection you created, click the Overview tab.

    Make sure that the Status is Connected and that there is data coming in (Data in) and going out (Data out).