index
Describes how to build site-to-site IPsec VPNs between HA VPN on Google Cloud Platform (GCP) and [VENDOR] [PRODUCT].
BEGIN: HOW TO USE THIS TEMPLATE
    1.
    Make a copy of this template.
    2.
    On your local computer, update and add information as indicated:
      Fill in the metadata (title, description, author, date_published) at the top
      of this file.
      There are notes in the template for you, the author, that explain where you need to
      make changes. These notes are enclosed in angle brackets (< >). Make sure you remove
      all text enclosed in angle brackets (< >).
      The template contains placeholders for things like the vendor and
      product name. These are also enclosed in bracketsβ€”for example,
      every place you see <vendor-name> and <product-name>,
      substitute approriate names.
      After you've made appropriate updates, remove content in angle brackets.
      Remove these instructions.
      Because this is a template for a variety of setups, it might contain
      content that isn't relevant to your scenario. Remove (or update)
      any sections that don't apply to you.
    4.
    In your fork, add a new folder named /tutorials/[YOUR_TUTORIAL]. For the
    folder name, use hyphens to separate words. We recommend that you
    include a product name in the folder name, such as using-cloud-vpn-with-cisco-asr.
    5.
    Copy the updated file to the index.md file of the new folder.
    6.
    Create a branch.
    7.
    Issue a PR to get your new content into the community site.
<END: HOW TO USE THIS TEMPLATE>

Using HA VPN with \\

Author: \
Learn how to build site-to-site IPSec VPNs between HA VPN on Google Cloud Platform (GCP) and \\.
[TODO: Change it with a real HA VPN guide when available]
<To see a finished version of this guide, see the Using Cloud VPN with Cisco ASR.>
\ \ and the \ logo are trademarks of \ or its affiliates in the United States and/or other countries.
Disclaimer: This interoperability guide is intended to be informational in nature and shows examples only. Customers should verify this information by testing it.

Introduction

This guide walks you through the process of configuring route based VPN tunnel between \\ and the HA VPN service on GCP.
For more information about HA or Classic VPN, see the Cloud VPN overview.

Terminology

Below are definitions of terms used throughout this guide.
\
    GCP VPC network: A single virtual network within a single GCP project.
    On-premises gateway: The VPN device on the non-GCP side of the
    connection, which is usually a device in a physical data center or in
    another cloud provider's network. GCP instructions are written from the
    point of view of the GCP VPC network, so on-premises gateway refers to the
    gateway that's connecting to GCP.
    External IP address or GCP peer address: External IP
    addresses used by peer VPN devices to establish HA VPN with GCP.
    External IP addresses are allocated automatically, one for each gateway interface within a
    GCP project.
    Dynamic routing: GCP dynamic routing for VPN using the
    Note that HA VPN only supports dynamic routing.
    \\: Definition.
    \\: Definition.

Topology

HA VPN supports multiple topologies.
This interop guide is based on the 1-peer-2-address topology.

Product environment

The \\ equipment used in this guide is as follows:
    Vendor: \
    Model: \
    Software release: \

Before you begin

    1.
    Review information about how dynamic routing works in Google Cloud Platform.
    2.
    Make sure your peer VPN gateway supports BGP.
    3.
    Select or create a GCP project.
    4.
    Make sure that billing is enabled for your GCP project.
    6.
    If you are using gcloud commands, set your project ID with the following command:
    1
    gcloud config set project [PROJECT_ID]
    Copied!
    The gcloud instructions on this page assume that you have set your project ID before issuing commands.
    7.
    You can also view a project ID that has already been set:
    1
    gcloud config list --format='text(core.project)'
    Copied!

Licenses and modules

\<This section is optional, because some VPN vendors can be open source or cloud providers that don't require such licensing.>
Before you configure your \\ for use with HA VPN, make sure that the following licenses are available:
\
    Advanced Enterprise Services (SLASR1-AES) or Advanced IP Services
    Technology Package License (SLASR1-AIS).
    IPSec RTU license (FLASR1-IPSEC-RTU).
    Encryption HW module (ASR1002HX-IPSECHW(=) and ASR1001HX-IPSECW(=)) and
    Tiered Crypto throughput license, which applies to ASR1002-HX and ASR1001-HX
    chassis only.
For detailed \\ license information, see the \ documentation.

Configuration parameters and values

The gcloud commands in this guide include parameters whose value you must provide. For example, a command might include a GCP project name or a region or other parameters whose values are unique to your context. The following table lists the parameters and gives examples of the values used in this guide.
Parameter description
Placeholder
Example value
Vendor name
[VENDOR_NAME]
Your product's vendor name. This value should have no spaces or punctuation in it other than underscores or hyphens, because it will be used as part of the names for GCP entities.
GCP project name
[PROJECT_NAME]
vpn-guide
Shared secret
[SHARED_SECRET]
VPC network name
[NETWORK]
network-a
Subnet mode
[SUBNET_MODE]
custom
VPN BGP routing mode
[BGP_ROUTING_MODE]
global
Subnet on the GCP VPC network (for example, vpn-vendor-test-network)
[SUBNET_NAME_1]
subnet-a-central
Subnet on the GCP VPC network (for example, vpn-vendor-test-network)
[SUBNET_NAME_2]
subnet-a-west
GCP region. Can be any region, but should be geographically close to on-premises gateway.
[REGION1]
us-central1
GCP region. Can be any region, but should be geographically close to on-premises gateway.
[REGION2]
us-west1
IP address range for the GCP VPC subnet (vpn-subnet-1)
[RANGE_1]
10.0.1.0/24
IP address range for the GCP VPC subnet (vpn-subnet-2)
[RANGE_2]
10.0.2.0/24
IP address range for the on-premises subnet. You will use this range when creating rules for inbound traffic to GCP.
[IP_ON_PREM_SUBNET]
192.168.1.0/24
External static IP address for the first internet interface of \\
[ON_PREM_GW_IP_0]
199.203.248.181
External static IP address for the second internet interface of \\
[ON_PREM_GW_IP_1]
199.203.248.182
HA VPN gateway
[GW_NAME]
ha-vpn-gw-a
Cloud Router name (for dynamic routing)
[ROUTER_NAME]
router-a
Google ASN
[GOOGLE_ASN]
65001
Peer ASN
[PEER_ASN]
65002
External VPN gateway resource
[PEER_GW_NAME]
peer-gw
First VPN tunnel
[TUNNEL_NAME_IF0]
tunnel-a-to-on-prem-if-0
Second VPN tunnel
[TUNNEL_NAME_IF1]
tunnel-a-to-on-prem-if-1
First BGP peer interface
[ROUTER_INTERFACE_NAME_0]
bgp-peer-tunnel-a-to-on-prem-if-0
Second BGP peer interface
[ROUTER_INTERFACE_NAME_1]
bgp-peer-tunnel-a-to-on-prem-if-1
BGP interface netmask length
[MASK_LENGTH]
/30

Configure the GCP side

This section covers how to configure HA VPN.
There are two ways to create HA VPN gateways on GCP: using the GCP Console and using gcloud commands.
This section describes how to perform the tasks using gcloud commands.

Initial tasks

Complete the following procedures before configuring a GCP HA VPN gateway and tunnel.
These instructions create a custom mode VPC network with one subnet in one region and another subnet in another region.
Create a custom VPC network
If you haven't already, create a VPC network with this command:
1
gcloud compute networks create [NETWORK] \
2
--subnet-mode [SUBNET_MODE] \
3
--bgp-routing-mode [BGP_ROUTING_MODE]
Copied!
Replace the placeholders as follows:
    [NETWORK]: Assign a network name.
    [SUBNET_MODE]: Set as custom.
    [BGP_ROUTING_MODE]: Set as global.
The command should look similar to the following example:
1
gcloud compute networks create network-a \
2
--subnet-mode custom \
3
--bgp-routing-mode global
Copied!
Create subnets
Create two subnets:
1
gcloud compute networks subnets create [SUBNET_NAME_1] \
2
--network [NETWORK] \
3
--region [REGION_1] \
4
--range [RANGE_1]
5
​
6
gcloud compute networks subnets create [SUBNET_NAME_2] \
7
--network [NETWORK] \
8
--region [REGION_2] \
9
--range [RANGE_2]
Copied!
The commands should look similar to the following example:
1
gcloud compute networks subnets create subnet-a-central \
2
--network network-a \
3
--region us-central1 \
4
--range 10.0.1.0/24
5
​
6
gcloud compute networks subnets create subnet-a-west \
7
--network network-a \
8
--region us-west1 \
9
--range 10.0.2.0/24
Copied!

Create the HA VPN gateway

Create the HA VPN gateway:
1
gcloud beta compute vpn-gateways create [GW_NAME] \
2
--network [NETWORK] \
3
--region [REGION]
Copied!
The command should look similar to the following example:
1
gcloud beta compute vpn-gateways create ha-vpn-gw-a \
2
--network network-a \
3
--region us-central1
Copied!
When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.

Create Cloud Router

Create a Cloud Router:
1
gcloud compute routers create [ROUTER_NAME] \
2
--region [REGION] \
3
--network [NETWORK] \
4
--asn [GOOGLE_ASN]
Copied!
Replace the placeholders as follows:
    [ROUTER_NAME]: The name of the new Cloud Router, which you must create in the same GCP
    region as the Cloud HA VPN gateway.
    [GOOGLE_ASN]: Any private ASN (64512-65534, 4200000000-4294967294) that you are not
    already using in the peer network. The Google ASN is used for all BGP sessions on the
    same Cloud Router, and it cannot be changed later.
The command should look similar to the following example:
1
gcloud compute routers create router-a \
2
--region us-central1 \
3
--network network-a \
4
--asn 65001
Copied!

Create an External VPN Gateway resource

Create an external VPN gateway resource that provides information to GCP about your peer VPN gateway or gateways. Depending on the HA recommendations for your peer VPN gateway, you can create external VPN gateway resource for the following different types of on-premises VPN gateways:
    Two separate peer VPN gateway devices where the two devices are redundant with each other and each device
    has its own public IP address.
    A single peer VPN gateway that uses two separate interfaces, each with its own public IP address. For this
    kind of peer gateway, you can create a single external VPN gateway with two interfaces.
    A single peer VPN gateway with a single public IP address.
This interop guide only covers the second option (one peer, two addresses).
Create an External VPN Gateway resource for a single peer VPN gateway with two separate interfaces
1
gcloud beta compute external-vpn-gateways create [PEER_GW_NAME] \
2
--interfaces 0=[ON_PREM_GW_IP_0],1=[ON_PREM_GW_IP_1] \
Copied!
The command should look similar to the following example:
1
gcloud beta compute external-vpn-gateways create peer-gw \
2
--interfaces 0=204.237.220.4,1=204.237.220.35 \
Copied!

Create two VPN tunnels, one for each interface on the HA VPN gateway

1
gcloud beta compute vpn-tunnels create [TUNNEL_NAME_IF0] \
2
--peer-external-gateway [PEER_GW_NAME] \
3
--peer-external-gateway-interface [PEER_EXT_GW_IF0] \
4
--region [REGION] \
5
--ike-version [IKE_VERS] \
6
--shared-secret [SHARED_SECRET] \
7
--router [ROUTER_NAME] \
8
--vpn-gateway [GW_NAME] \
9
--interface [INT_NUM_0]
10
​
11
gcloud beta compute vpn-tunnels create [TUNNEL_NAME_IF1] \
12
--peer-external-gateway [PEER_GW_NAME] \
13
--peer-external-gateway-interface [PEER_EXT_GW_IF1] \
14
--region [REGION] \
15
--ike-version [IKE_VERS] \
16
--shared-secret [SHARED_SECRET] \
17
--router [ROUTER_NAME] \
18
--vpn-gateway [GW_NAME] \
19
--interface [INT_NUM_1]
Copied!
The command should look similar to the following example:
1
gcloud beta compute vpn-tunnels create tunnel-a-to-on-prem-if-0 \
2
--peer-external-gateway peer-gw \
3
--peer-external-gateway-interface 0 \
4
--region us-central1 \
5
--ike-version 2 \
6
--shared-secret mysharedsecret \
7
--router router-a \
8
--vpn-gateway ha-vpn-gw-a \
9
--interface 0
10
​
11
gcloud beta compute vpn-tunnels create tunnel-a-to-on-prem-if-1 \
12
--peer-external-gateway peer-gw \
13
--peer-external-gateway-interface 1 \
14
--region us-central1 \
15
--ike-version 2 \
16
--shared-secret mysharedsecret \
17
--router router-a \
18
--vpn-gateway ha-vpn-gw-a \
19
--interface 1
Copied!

Create Cloud Router interfaces and BGP peers

Create a Cloud Router BGP interface and BGP peer for each tunnel you previously configured on the HA VPN gateway interfaces.
You can choose the automatic or manual configuration method of configuring BGP interfaces and BGP peers. This example uses the automatic method.
    1.
    For the first VPN tunnel, add a new BGP interface to the Cloud Router:
    1
    gcloud compute routers add-interface [ROUTER_NAME] \
    2
    --interface-name [ROUTER_INTERFACE_NAME_0] \
    3
    --mask-length [MASK_LENGTH] \
    4
    --vpn-tunnel [TUNNEL_NAME_0] \
    5
    --region [REGION]
    Copied!
    The command should look similar to the following example:
    1
    gcloud compute routers add-interface router-a \
    2
    --interface-name if-tunnel-a-to-on-prem-if-0 \
    3
    --mask-length 30 \
    4
    --vpn-tunnel tunnel-a-to-on-prem-if-0 \
    5
    --region us-central1
    Copied!
    2.
    Add a BGP peer to the interface for the first tunnel:
    1
    gcloud compute routers add-bgp-peer [ROUTER_NAME] \
    2
    --peer-name [PEER_NAME] \
    3
    --peer-asn [PEER_ASN] \
    4
    --interface [ROUTER_INTERFACE_NAME_0] \
    5
    --region [REGION] \
    Copied!
    The command should look similar to the following example:
    1
    gcloud compute routers add-bgp-peer router-a \
    2
    --peer-name peer-b \
    3
    --peer-asn 65002 \
    4
    --interface if-tunnel-a-to-on-prem-if-0 \
    5
    --region us-central1 \
    Copied!
    3.
    For the second VPN tunnel, add a new BGP interface to the Cloud Router:
    1
    gcloud compute routers add-interface [ROUTER_NAME] \
    2
    --interface-name [ROUTER_INTERFACE_NAME_1] \
    3
    --mask-length [MASK_LENGTH] \
    4
    --vpn-tunnel [TUNNEL_NAME_1] \
    5
    --region [REGION]
    Copied!
    The command should look similar to the following example:
    1
    gcloud compute routers add-interface router-a \
    2
    --interface-name if-tunnel-a-to-on-prem-if-1 \
    3
    --mask-length 30 \
    4
    --vpn-tunnel tunnel-a-to-on-prem-if-1 \
    5
    --region us-central1
    Copied!
    4.
    Add a BGP peer to the interface for the second tunnel:
    1
    gcloud compute routers add-bgp-peer [ROUTER_NAME] \
    2
    --peer-name [PEER_NAME] \
    3
    --peer-asn [PEER_ASN] \
    4
    --interface [ROUTER_INTERFACE_NAME_1] \
    5
    --region [REGION] \
    Copied!
    The command should look similar to the following example:
    1
    gcloud compute routers add-bgp-peer router-a \
    2
    --peer-name peer-a \
    3
    --peer-asn 65002 \
    4
    --interface if-tunnel-a-to-on-prem-if-1 \
    5
    --region us-central1 \
    Copied!
    5.
    Verify the Cloud Router configuration
    1
    gcloud compute routers get-status router-a \
    2
    --region us-central1 \
    3
    --format='flattened(result.bgpPeerStatus[].name,
    4
    result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
    5
    ​
    6
    gcloud compute routers describe [ROUTER_NAME] \
    7
    --region [REGION]
    Copied!

Configure firewall rules

Configure firewall rules to allow inbound traffic from the on-premises network subnets:
1
gcloud compute firewall-rules create [VPN_RULE_NAME] \
2
--network [NETWORK] \
3
--allow tcp,udp,icmp \
4
--source-ranges [IP_ON_PREM_SUBNET]
Copied!
The command should look similar to the following example:
1
gcloud compute firewall-rules create network-a-to-on-prem \
2
--network network-a \
3
--allow tcp,udp,icmp \
4
--source-ranges 192.168.1.0/24
Copied!
You must also configure the on-premises network firewall to allow inbound traffic from your VPC subnet prefixes.

Configure the \\ side

\ equipment.>

Creating the base network configuration

\
Follow the procedure listed in the configuration code snippet below to create the base Layer 3 network configuration of \.
At least one internal-facing network interface is required in order to connect to your on-premises network, and one external-facing interface is required in order to connect to GCP.
\

Creating the base VPN gateway configuration

Follow the procedures in this section to create the base VPN configuration.
\<This section contains outlines of subsections for different aspects of configuring IPSec and IKE on the vendor side. Fill in the sections that are relevant to the current configuration, and remove any sections that don't apply.>
GCP-compatible settings for IPSec and IKE
Make sure to configure Ciphers supported by GCP only.
Configure the IKE proposal and policy
\
\
Configure the IKEv2 keyring
\
\
Configure the IKEv2 profile
\
\
Configure the IPSec security association (SA)
\
    IPsec SA replay window-size: Set this to 1024, which is the recommended value
    for \\.
\
Configure the IPSec transform set
\
\
Configure the IPSec static virtual tunnel interface (SVTI)
\
    Adjust the maximum segment size (MSS) value of TCP packets going through
    a router as discussed in
    ​MTU Considerations​
    for Cloud VPN.
\

Configuring the dynamic routing protocol

Follow the procedure in this section to configure dynamic routing for traffic through the VPN tunnel or tunnels using the BGP routing protocol.
\
To advertise additional prefixes to GCP, \:
\
Additional recommended BGP configurations:
    Configure keepalive timer = 20
    Hold timer = 60s;
    BGP Graceful Restart time = 1s
    Stalepath-time = 300s
\

Saving the configuration

Follow the procedure in this section to save the on-premises configuration.
\
\

Testing the configuration

It's important to test the VPN connection from both sides of a VPN tunnel. For either side, make sure that the subnet that a machine or virtual machine is located in is being forwarded through the VPN tunnel.
    1.
    Create VMs on both sides of the tunnel. Make sure that you configure the VMs on a subnet that will pass traffic through the VPN tunnel.
      Instructions for creating virtual machines in Compute Engine are in the
      Instructions for creating machines machines on-premises are located \.
    2.
    After you have deployed VMs on both GCP and on-premises, you can use an ICMP echo (ping) test to test network connectivity through the VPN tunnel.
    On the GCP side, use the following instructions to test the connection to a machine that's behind the on-premises gateway:
      1.
      In the GCP Console, go to the VM Instances page.
      2.
      Find the GCP virtual machine you created.
      3.
      In the Connect column, click SSH. A Cloud Shell window opens at the VM command line.
      4.
      Ping a machine that's behind the on-premises gateway.
    \\ here. For example, below is an example of a successful ping from a Cisco ASR router to GCP.>
    1
    cisco-asr#ping 172.16.100.2 source 10.0.200.1
    2
    Type escape sequence to abort.
    3
    Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 seconds:
    4
    Packet sent with a source address of 10.0.200.1
    5
    !!!!!
    6
    Success rate is 100 percent (5/5), round-trip min/avg/max = 18/19/20 ms
    Copied!

Troubleshooting IPSec on \\

For troubleshooting information, see the \\ troubleshooting guide: \.
\\ guide.>

Reference documentation

You can refer to the following \\ documentation and Cloud VPN documentation for additional information about both products.

GCP documentation

To learn more about GCP networking, see the following documents:

\\ documentation

For more product information on \\, refer to the following \ feature configuration guides and datasheets:
    \
    \
For common \\ error messages and debug commands, see the following guides:
    \
    \
Last modified 7mo ago