Google Cloud Platform VPN

This guide demonstrates how to create a Google Cloud Platform (GCP) VPN and connect it to a VNS3 controller with route-based (VTI) IPSec. Both types of routing, route-based VPN (static routing) and BGP HA VPN (dynamic routing), will be covered.

This guide assumes that you already have a VNS3 controller running, to which we will connect a new GCP VPN to. If you do not have a VNS3 instance set up and running, launch one now and review the Administration Guide to complete initialization.

For more information about IPSec in general, please review this article

Creating a GCP Route-based VPN connection to VNS3 (static routing)

Create GCP static VPN resources

To create a Route-based (static routing) VPN from GCP to VNS3, you will first need to bring up a the following resources: GCP Cloud VPN Gateway, Peer Gateway, and VPN tunnel(s). Once these resources are created in GC, on your VNS3 controller you will create an IPSec endpoint and routes to allow traffic through the tunnel.

From your GCP console on the left side navigation menu, navigate to Hybrid Connectivity > VPN. Click the “VPN Setup Wizard” near the top of the page and select “Classic VPN” > Continue.

  • Name the Gateway something unique
  • Specify the VPC network
  • Specify the Region (must be in same region as VPC)
  • Create a new IP address and name it
  • Name the tunnel
  • The Remote Peer IP address is the public IP of the VNS3 controller (54.201.153.136 as seen in the image below)
  • IKE version: IKEv2
  • Define a PSK
  • Select “Route-based” as the Routing option
  • Enter the subnet/network CIDR(s) which are accessible through/behind the VNS3 device. Routes to these networks will be created automatically.
  • Create

Creating a Cloud VPN gateway and tunnels

Once you have the Google Cloud VPN created, skip to step #5. VNS3 Configuration section below.

Creating a BGP HA VPN to VNS3 (Dynamic Routing)

BGP VPN provides High Availability by bringing up two virtual tunnel interfaces that are connected to a single device. These interfaces are constantly sharing routing and status information so if one connection goes down, all traffic will automatically be routed to the healthy connection. For more information about BGP, please review: https://docs.cohesive.net/glossary/bgp/

To create a BGP connection, open up your GCP console. In the Navigation menu on the left of the screen, navigate to Hybrid Connectivity > VPN. Select the “VPN Setup Wizard” near the top of the page and follow the instructions provided.

1. Create Cloud HA VPN gateway

  • Select High-availability (HA) VPN and “Continue”
  • Name the Gateway something unique
  • Specify the VPC network
  • Specify the Region (must be in same region as VPC)

Creating a Cloud HA VPN gateway

2. Adding BGP VPN tunnels

  • Select the “On-prem or Non Google Cloud” radio button
  • Create a new Peer customer gateway

Creating a peer VPN gateway

Select “Create a Cloud Router”

  • Name the Router
  • Specify a Google ASN (i.e. 65022). We recommend using an ASN number above 65020, since VNS3 topology’s default ASN’s for BGP peering are 65001, 65002, etc.

Creating a google cloud router for BGP connection

  • Name the connection
  • IKE version: IKEv2
  • Define a PSK

Creating a google cloud tunnels for BGP connection

  • Create and continue

3. Configure BGP Sessions

  • Select the blue Configure icon
  • Name the BGP session
  • Retrieve the VNS3 ASN number from the VNS3 Web UI. This can be found at the bottom of the VNS3 IPSec page. (default ASN is 65001)
  • Define Cloud Router BGP IP and BGP Peer IP. These will need to be 169.254.x.x address that lie within the same /30 subnet. Keep the BGP Peer IP handy sine you will need to define this on the VNS3 configuration as well.

Retrieve the VNS3 ASN number from the IPSec page

  • Specify the routes that will be advertised between the BGP peers.

If you would like to manually configure the routes that will be advertised between the BGP peers, select the “Create custom routes” radio button. Otherwise select “Use Cloud Router’s advertisements” as shown below.

Set up Google BGP sessions to VNS3

  • Save and Continue
  • Save BGP Configuration

This setup will create one of the BGP peers. The connections will not come up until the VNS3 side of the connection is configured(steps 7+). In the following steps we will create the Secondary BGP connection utilizing the same VPN Gateway and Peer VPN Gateway that were created in the previous steps. The only differences for the secondary connection will be the naming conventions, utilizing the second gateway interface, and creating an additional cloud router.

4. Creating the secondary BGP connection

The secondary connection will only get traffic routed through it if the first connection dies.

  • From the GCP VPN console, go to the Cloud VPN Tunnels tab
  • Select Create VPN Tunnel
  • Select the VPN gateway that you created in the section 2
  • Continue
  • Select the Peer VPN Gateway that you created in section 2
  • Select the Cloud Router that you created in section 2
  • In the Associated Cloud VPN gateway interface dropdown menu, select the second(1:) interface. (i.e. 1: 35.220.15.82)
  • Name accordingly
  • IKE version: IKEv2
  • Define a PSK
  • Create and Continue

Creating BGP tunnels for the secondary BGP connection

Creating the Secondary BGP Session

  • Once the VPN is created select the the blue configure button
  • Name the BGP session accordingly i.e. Secondary)
  • Peer ASN will be the same as before (65001)
  • Use the same BGP IP’s from step 3 but change the 3rd octet as shown in the picture below.

Set up a second Google BGP sessions to VNS3

5. VNS3 Configuration

You will now configure the VNS3 side of the VPN. Navigate to the IPSec page in the VNS3 Web UI. Select “New Endpoint”

Creating a new endpoint in VNS3

  • Name the endpoint (allowed: alphanumeric, _ )
  • The Endpoint IP is the IP address of the Google Cloud VPN Gateway( Interface 0 if BGP)
  • Select IKEv2
  • Enter the PSK that you defined in the GCP section
  • Disable PFS (box uncheck)
  • Check the box for “Enable Route-based VPN”
  • Specify the local VTI interface address. (must be a /30 CIDR. i.e 169.254.3.1/30)
  • Set the local and remote subnets to 0.0.0.0/0.

Creating a VNS3 endpoint for GCP Route-based VPN

The tunnel should show “connected” in green in less than a minute. If it does not connect right away, make that your check your Cloud Security Groups associated with your VNS3 controller are open on UDP port 500 and 4500.

For more information about Google Static routing VPN, click HERE

Creating Routes in VNS3 (static routing only)

If you are setting up a BGP VPN, skip this section and continue to Step #6 below.

In order to allow traffic from your VNS3 network to your Google Cloud network , you will need to add the necessary routes in the VNS3 routing page. From the VNS3 Web UI, navigate to the Routes page.

  • Specify the GCP network in CIDR notation.
  • Add a route description (optional)
  • Select “Route-based VPN tunnel” as the Route type and the specific VTI interface name
  • Add Route

Creating a VNS3 static Routes

If there are multiple networks you need to connect to in GCP, repeat this step for each additional subnet CIDR.

6. Create BGP peer on the primary endpoint (dynamic routing)

Once the tunnel shows green “connected”, in the Action dropdown menu select New eBGP Peer

Create new eBGP Peer in VNS3

  • The Peer’s IP address is the same as the VTI address defined in the previous step
  • Define the Peer ASN, this is the Google ASN associated to the Cloud Router created in step 3
  • Define the peer’s access list. The “peer’s access list” will be where you define the local and remote CIDRs. Use the terms ‘in permit’ and ‘out permit’ to define what traffic will traverse this BGP connection. The “out permit” addresses will be advertised to the BGP peer(s), and “in permit” addresses will accept specific advertisements from the Google BGP peer. Do not configure network distance for the primary endpoint.

Configure primary eBGP Peer in VNS3

7. Configuring the Secondary Connection

Create a second endpoint by repeating step 5 with proper secondary naming convention and peer IPs. The endpoints VTI interface will be the Google VPN interface 1: and the local VTI interface will correspond to the secondary Google BGP Session configuration. Save

Once the Secondary endpoint is created, select “New eBGP Peer” under the endpoint Actions dropdown menu. Follow step 6 but set the outbound network distance to 10. This is the important differentiating parameter from the Primary BGP peer that allows for a functional HA configuration. When BGP peers share routing information, VNS3 will route traffic through the primary endpoint because it appears to have a shorter network distance. If and only if the primary connection goes down will the secondary connection be used to route traffic.

You have now successfully created a HA BGP VPN setup from VNS3 to Google Cloud VPN. If your VNS3 device is sitting in a subnet with other VM instances that you would like to use the BGP connection(s), you will have to add the necessary cloud VPC/subnet routes as well as a route advertisement in the VNS3 routes page to you local VPC subnet CIDR(s).

Updating your VNS3 Firewall

Now that the connection is up you will need to add the necessary FORWARD_CUST Firewall rules to allow traffic to traverse the connection. From the VNS3 point of view, the local subnet is 192.168.2.0/24 and the remote subnets are 30.0.0.0/16 and 30.1.0.0/16. Navigate to the VNS3 Firewall page. Enter rules to forward traffic from the desired source(s) and destination(s).

FORWARD_CUST -s 192.168.2.0/24 -d 30.0.0.0/16,30.1.0./16 -j ACCEPT
FORWARD_CUST -s 30.0.0.0/16,30.1.0./16 -d 192.168.2.0/24 -j ACCEPT

If you have any questions please contact Cohesive support at support.cohesive.net or by email at support@cohesive.net.

Click here for more information about Google BGP VPN