Dynamic-IP Tunnels
  • 30 Jan 2024
  • 1 Minute to read
  • Contributors

    Dynamic-IP Tunnels


      Article Summary

      In order to establish a site-to-site tunnel (IPSec or WireGuard) between your Harmony SASE gateway and a firewall/router with a dynamic public IP address, you will need to apply some modifications to the tunnel creation process. Follow the instructions below.

      Important

      This option is not supported by cloud IaaS providers (such as AWS, GCP, or Azure).

      IPSec based connections

      1. When creating the tunnel at the Harmony SASE platform fill in the General Settings section with the following information:
        Screen Shot 2020-10-06 at 16.04.21
      • Name: Enter a name of your choice.
      • Shared Secret: Enter a string of at least 8 characters or use the Generate button. Make sure to copy and save it, as it'll be required when setting up the tunnel on your firewall/router management interface.
      • Public IP: Enter 0.0.0.0
      • Remote ID: Enter a string of your own choice. This parameter will use as an additional shared secret, providing an extra level of security. Copy and save it as it'll be used as the left ID (local ID or local identification) when setting the tunnel on your firewall/router management interface.

        Important
        0.0.0.0 is NOT an acceptable value for the Remote ID.
      • Harmony SASE Gateway Proposal Subnet: Specify your Harmony SASE network subnet (do not choose any).
      • Remote Gateway Proposal Subnet: Specify your on-premises internal network subnet.
      1. In the Advanced Settings section make sure to select IKEv2. The rest of the values remain the same as described in the designated guide.
      2. When setting up the tunnel at the firewall/router management interface fill in the following information:
      • Local IP: Since you're using a dynamic IP, enter a default value (this will vary between different vendors).
      • Local Identification/Local ID/My identifier: Fill in the same value you set for Remote ID at the Harmony SASE platform.
      • Remote IP/Remote ID/Peer Identifier: Enter your Harmony SASE gateway IP address.
      • IKE Version: IKEv2
      1. Fill in the rest of the fields as described in the appropriate guide.

      WireGuard based connections

      1. When creating the tunnel at the Harmony SASE platform fill in the General Settings section with the following information:
        Screen Shot 2020-10-06 at 16.28.37.png
      • Name: Enter a name of your choice.
      • Endpoint: Enter 0.0.0.0
      • Subnets: Enter your internal on-premises network's subnet.
      1. Follow the rest as described in the appropriate guide.

      Was this article helpful?