GCP Redundant Tunnels
  • 29 Apr 2024
  • 4 Minutes to read
  • Contributors

    GCP Redundant Tunnels


      Article summary

      Introduction

      In this guide, you'll learn how to set up redundant tunnels between your Harmony SASE network and Google Cloud Platform (GCP).

      Implementing redundancy ensures consistent connectivity, minimizing potential downtime, and maintaining secure access to your cloud resources at all times.

      Breakdown of topics

      1. Pre-requisites
      2. Configuration Steps
      3. Verifying the Setup
      4. Troubleshooting
      5. Support Contacts

      Pre-requisites

      To successfully follow this guide, you should have:

      1. An active Harmony SASE account and network.
      2. The Harmony SASE app is installed on your devices.
      3. An active GCP account with admin permissions.

      Configuration Steps

      Create Harmony SASE  Gateways

      1. Your Harmony SASE Network will need to have at least two different gateways in the same network, as listed below.
      Important notes
      • These gateways can be deployed in two separate Regions for comprehensive ISP redundancy.
      • The network can be scaled up and adding another region should not affect the connection.

       Configuring a VPN Gateway in GCP

      You will need to create a VPN Gateway in your Google Cloud Platform, configure a GCP Cloud router, and add a High Availability tunnel matching the Harmony SASE Gateways above. 

      1. In your GCP portal under Network Connectivity Click VPN.
      2. Click Cloud VPN Gateways -> Create VPN Gateway.
      3. Configure the VPN Gateway and click Create.
        • Name: Select a name that will represent the Harmony SASE gateway you are connecting to.
        • Network: Select the GCP Network you would like to access remotely via Harmony SASE.
        • Region: Make sure you select the correct region where your resources are.
      4. Two interfaces are created (Interface 0/Interface 1)
        • Click"Add VPN Tunnel".

      Add a redundant VPN tunnel in GCP

      1. Peer VPN gateway: Select On-prem or Non-Google Cloud.
      2. Click the drop-down menu next to "Peer VPN gateway name" and select "Create new peer VPN Gateway".
        • Name the peer VPN gateway: This represents the Harmony SASE side of the setup.
        • Under "Peer VPN gateway interfaces", select "two interfaces"
        • Under Interface 0 IP address, paste the first Harmony SASE gateway IP.
        • Under Interface 1 IP address, paste the second Harmony SASE gateway IP.
        • Click "Create"
      3. Under High availability, make sure "Create a pair of VPN tunnels" is selected.
      4. Under "Routing options"; click the "Cloud Router" drop-down menu, and select "Create a new router".
        • Name your Cloud router- This component in GCP will manage your BGP ASN routes.
        • Set "Google ASN" to 65111 (This can be any value, please make note of this as it will be added to the Harmony SASE side later).
        • **Optional- Complete the following steps only if you have a peered VPC you need to reach through the tunnel:
          • Under “Advertised routes” select Create custom routes.
          • Select Advertise all subnets visible to the Cloud Router.
          • Under “Custom ranges” click on ADD CUSTOM ROUTE.
          • Under “New custom route” insert the network CIDR for the peered VPC and click DONE.
          • Repeat the last two steps for each range you need to route through the tunnel.
        • Click create.
      5. Under VPN tunnel, select the first VPN tunnel and name it according to the gateway you created on Harmony SASE.
        • Under IKE pre-shared key, click generate and copy IKE pre-shared key.
        • Special characters are not permitted and should be removed from this field (with the exception of dots ".", and underscores "_").
      6. Select the second VPN tunnel and name it according to the secondary gateway on Harmony SASE. 
        • Under IKE pre-shared key, paste the IKE pre-shared key you copied before
        • Note: We will use this IKE Pre-shared key later to establish a handshake between the sites.
        • Click Done.
      7. Click "Create and continue".

      Configure BGP routes

      1. Click Configure next to the relevant tunnel.
      2. Set BGP routes for Tunnel 1 according to the image below and click Save and Continue.
        • Peer ASN is set to 65000 and represents the BGP route for Harmony SASE.
        • For Cloud Router BGP IP and BGP Peer IP select a unique Link-local address.
      3. Set BGP routes for Tunnel 2 according to the image below and click Save and Continue:
        • Make sure that the Cloud Router BGP IP and BGP Peer IP use a different Link-local address than Tunnel1.
        • The Peer ASN is the same 65000 since it represents the BGP route for Harmony SASE.
      4. Click Save BGP Configuration.
      5. Wait until done. When complete you will see "waiting for peer" next to each tunnel until the Harmony SASE setup is complete.

      Creating the High Availability Harmony SASE Tunnel

      1. In Your Harmony SASE Admin console, Navigate to your network.
      2. Click "..." next to one of the gateways and select Add Tunnel.
      3. Choose IPSEC Site-2-Site Tunnel > Continue.
      4. Select Redundant Tunnels > Continue.
        Perimeter_81_-_Casey_HA_Test.png
      5. Select a logical name for your tunnel longer than 4 characters, 
        • For example, "GCPtunnel".
      6.  In your GCP portal under Network Connectivity > VPN, Copy and Paste the values for Tunnel 1 and Tunnel 2 according to the image below. ASN - should be 65111 for both tunnels.
        Tunnel 1 Example: Tunnel 2 Example:
      7. Under Shared Settings:
        • AS Number is set to 65000 and represents the BGP route for Harmony SASE.
        • Warning: The Harmony SASE AS Number cannot be edited after the tunnel's creation.
      8. Under Advanced Settings:
      9. Click Add Tunnel and wait until the tunnel deployment is complete to add routes.
      10. Select "..." next to your network and then Routes Table.
      11. Once that has been completed be sure to select "Apply Configuration" and let the route changes propagate on our side.

      Verifying the Setup

      Once both sides have completed the handshake, BGP routes should come UP on GCP:

      1. Navigate back to your GCP portal under Network Connectivity > VPN, and review the BGP Connection status:
        Both VPN tunnel Status and BGP Established should show a green checkmark.

      After following the above steps, your tunnel should be active.
      To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
      It should indicate that the tunnel is "Up", signifying a successful connection.
      Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success


      Was this article helpful?

      What's Next