Introduction
This guide will walk you through the process of establishing a Site-to-Site VPN tunnel between your Harmony SASE network and your Alibaba Cloud environment.
Breakdown of topics
- Pre-requisites
- Configuration Steps
- Verifying the Setup
- Troubleshooting
- Support Contacts
Pre-requisites
To successfully follow this guide, you should have:
- An active Harmony SASE account and network.
- The Harmony SASE app is installed on your devices.
- An active Alibaba Cloud account with admin permissions.
Configuration Steps
Setting a tunnel on Alibaba Cloud
- Log in to the VPC console.
- In the Management Platform on the left side, choose VPN > IPsec Connections.
- Select a region.
- On the IPsec Connections page, select Create IPsec Connection.
- On the Create IPsec Connection page, configure the IPsec-VPN connection with the following information, and select OK.
Name: Enter the name of the IPsec-VPN connection.
VPN Gateway: Select the VPN Gateway to connect - If none exists, create a new one.
Customer Gateway: Select the customer gateway to connect. If none exists, create a new one for the P81 gateway public IP.
Local Network: Enter the CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation.
Remote Network: Enter the CIDR block of the on-premises data center to be connected with the VPC. This parameter is used for phase two negotiation (if you didn't select a specific subnet) P81 default is - 10.255.0.0/16.
Effective Immediately: Choose Yes.
Advanced Configuration: IKE Configurations.
- Pre-Shared Key: Enter the pre-shared key used for the authentication between the VPN Gateway and the customer gateway. By default, it is an automatically generated value. But you can also specify a pre-shared key - this key should be used also in the P81 side.
- Version: IKEv1
- Negotiation Mode: Main mode
- Encryption Algorithm: aes256
- Encryption Algorithm: sha1
- DH Group: group2
- SA Life Cycle (seconds): Set the SA lifecycle for phase one negotiation. The default value is 86,400 seconds.
- LocalId: Local VPN Gateway public IP address
- RemoteId: P81 gateway public IP address
Advanced Configuration: IPSec Configurations
- Encryption Algorithm: aes256
- Authentication Algorithm: sha1
- DH Group: group2
- SA Life Cycle (seconds): Set the SA lifecycle for phase two negotiation. The default value is 86,400s.
Health Check - Optional
Setting access rules in Alibaba security groups
- Go to your security group that is associated with your server.
- Add Allow rule with 10.255.0.0/16 object to the desired ports.
Setting routes in Alibaba cloud
- Go to your VPN.
- Select Route Tables.
- Add the following route under the System route table or on your custom route table: 10.255.0.0/16. The next hop should be the VPN Gateway you created for P81.
Harmony SASE setting
- Go to the Gateway in your network from which you want to create the tunnel to Alibaba Cloud.
- Select the three-dotted menu (...) and select Add Tunnel.
Name: Set the name for the Tunnel.
Shared Secret: Put the same Shared secret you set in Alibaba Cloud.
Public IP and Remote ID: enter AliBaba VPN Gateway Public IP address.
In Harmony SASE Gateway Proposal Subnets, select Any or Specific Subnet.
In Remote Gateway Proposal Subnets put your Alibaba Cloud subnet/s.
Advanced Settings:
- IKE Version: V1
- IKE Lifetime: 8h
- Tunnel Lifetime: 1h
- Dead Peer Detection Delay: 10s
- Dead Peer Detection Timeout: 30s
- Encryption (Phase 1): aes256
- Encryption (Phase 2): aes256
- Integrity (Phase 1): sha1
- Integrity (Phase 2): sha1
- Deffie-Hellman Groups (Phase 1): 2
- Deffie-Hellman Groups (Phase 1):2
Select Add Tunnel.
Verifying the Setup
After following the above steps, your tunnel should be active.
To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
It should indicate that the tunnel is "Up", signifying a successful connection.
Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.
Troubleshooting
If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
Support Contacts
If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success