Alibaba Cloud

Prerequisites

  • An active Harmony SASE Administrator Portal account and network.

  • Make sure you have installed the Harmony SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

Step 1 - Configurations in Alibaba Cloud

Setting Up a Tunnel

  1. Access the VPC console.

  2. In the Management Platform on the left side, click VPN > IPsec Connections.

  3. Select a region.

  4. In the IPsec Connections page, click Create IPsec Connection.

  5. In the Create IPsec Connection page, configure the IPsec-VPN connection with the following information:

    1. Name - Name of the IPsec-VPN connection.

    2. VPN Gateway - Select the VPN Gateway to connect. If there are no gateways, create a new gateway.

    3. Customer Gateway - Select the customer gateway to connect. If none exists, create a new one for the Harmony SASE gateway public IP address.

    4. Local Network - CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation.

    5. Remote Network - CIDR block of the on-premises data center to be connected with the VPC. This parameter is used for phase two negotiation (if you do not select a specific subnet).

      Harmony SASE default value is 10.255.0.0/16.

    6. Effective Immediately - Yes.

    7. Advanced Configuration - IKE Configurations

      1. Pre-Shared Key - Pre-shared key used for the authentication between the VPN Gateway and the customer gateway. By default, it is an automatically generated value. However, you can also specify a pre-shared key. This key should be used also in the Harmony SASE side.

      2. Version - IKEv1

      3. Negotiation Mode - Main mode

      4. Encryption Algorithm - aes256

      5. Encryption Algorithm - sha1

      6. DH Group - group2

      7. SA Life Cycle (seconds) - SA lifecycle for phase one negotiation. The default value is 86,400 seconds.

      8. LocalId - Local VPN Gateway public IP address

      9. RemoteId - Harmony SASE gateway public IP address

    8. Advanced Configuration: IPSec Configurations

      • Encryption Algorithm - aes256

      • Authentication Algorithm - sha1

      • DH Group - group2

      • SA Life Cycle (seconds) - SA lifecycle for phase two negotiation. The default value is 86,400 seconds.

    9. Health Check - Optional

  6. Click OK.

Setting Access Rules in Alibaba Security Groups

  1. Access the VPC console and go to your security group associated with your server.

  2. Add Allow rule with 10.255.0.0/16 object to the desired ports.

Setting Routes in Alibaba Cloud

  1. Access the VPC console and go to your VPN.

  2. Click Route Tables.

  3. Add this route under the System route table or on your custom route table:

    10.255.0.0/16.

Step 2 - Creating the Tunnel in the Harmony SASE Administrator Portal

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In the required gateway, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Click Single Tunnel and click Continue.

    The IPSec Site-2-Site Tunnel window appears.

  6. In the General Settings section, enter these:

    1. Name - Name of the tunnel.

    2. Shared Secret - Shared secret you set in VPC console.

    3. Public IP and Remote ID: Enter Alibaba VPN Gateway Public IP address.

    4. In Perimeter 81 Gateway Proposal Subnets, select Any or Specific Subnet.

    5. In Remote Gateway Proposal Subnets, enter your VPC console subnet/s.

    6. In the Advanced Settings section, enter the information for your tunnel type:

      Field

      IKE Version

      IKE Lifetime

      Tunnel Lifetime

      Dead Peer Detection Delay

      Dead Peer Detection Timeout

      Encryption (Phase 1)

      Encryption (Phase 2)

      Integrity (Phase 1)

      Integrity (Phase 2)

      Diffie Hellman Groups (Phase 1)

      Diffie Hellman Groups (Phase 2)

      Cloud Vendor

      Amazon AWS

      Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
      Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
      Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
      Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

      Google Cloud Platform

      Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

      Redundant Tunnels

      		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21

      21
      Microsoft Azure  

      Single Tunnel -

      Azure Virtual Network Gateway

      V2

      3600s

      27000s

      10s

      45s

      		 aes256 aes256 sha1 sha1

      2

      2

      Redundant Tunnels - Virtual Network Gateway

      V2

      9h

      9h

      		 10s 30s aes256 aes256 sha1 sha1

      2

      2

      Redundant Tunnels - Virtual WAN

      V2

      8h

      		 1h 10s 30s aes256 aes256

      sha256

      sha256

      14

      14

      Other tunnel types

       
      Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 2 2

      IBM Cloud

      V1

      		 8h 1h 10s 30s aes256 aes256

      sha256

      sha256

      21

      21

      1 Suggested values. For other supported ciphers, see this Google article.

  7. Click Add Tunnel.