---
title: "Google Cloud Platform"
slug: "configuring-a-site-to-site-ipsec-tunnel-to-google-cloud-platform"
updated: 2026-04-07T09:05:20Z
published: 2026-04-07T09:05:20Z
canonical: "support.perimeter81.com/configuring-a-site-to-site-ipsec-tunnel-to-google-cloud-platform"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Cloud Platform

<meta charset="utf-8">

<meta charset="utf-8">

<meta charset="utf-8">

## Introduction

This guide aims to facilitate the process of setting up a Site-to-Site VPN tunnel between your Check Point SASE network and Google Cloud Platform (GCP).

Establishing this secure connection ensures that your local networks and the cloud infrastructure seamlessly integrate, paving the way for resource accessibility and data transfer with increased security.

**Breakdown of topics**

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

## Pre-requisites

To successfully follow this guide, you should have:

1. An active Check Point SASE account and a functional network.
2. Installed the Check Point SASE app on your devices.
3. An active Google Cloud Platform (GCP) account with the necessary administrative permissions.

## Configuration Steps

GCP includes a few steps throughout the configuration and needs to be applied for every VPC.

1. **Create Virtual Private Gateway**.
  - Go to the **Network****Connectivity** in the **Google Cloud Platform Console**.
  - Under the left menu go to **VPN**, select **Cloud VPN Gateways**, then create **VPN Gateway**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/NetwrokConnectivity1(2).png)
  - **Select** Classic VPN.  
![3600089273592.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3600089273592.png)
  - Fill in the following information:  
![3600089231803.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3600089231803.png)
  - **Name:** Enter a name of your choice.
  - **Network:** Select default or a specific VPC.
  - **Region:** Preferably the region in which your resources lie.
  - **IP Address:** Create an IP address that will serve to connect your gateway.  
![360008236080ScreenShot2020-01-21at201108.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360008236080ScreenShot2020-01-21at201108.png)
2. **Create a Tunnel**
  - Scroll to the lower part of the page. Fill in the following information:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Network%20Connectivity2(1).png)
  - **Name:** Enter a name of your choice.
  - **Remote peer IP address:** Enter your Check Point SASE Gateway IP (to obtain this, open the Check Point SASE Platform, and under Network select the network that contains the gateway to which you'd like to create a tunnel).  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1679941320164.png)
  - **IKE Version:** IKEv2  
![360008236360ScreenShot2020-01-21at203040.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360008236360ScreenShot2020-01-21at203040.png)
  - **IKE pre-shared key:** Select **Generate and copy** or choose a key of your own and write it down.
  - **Routing options:** Route-based
  - **Remote network IP ranges:** 10.255.0.0/16 (unless customized)
  - Select **Done**, then **Create**.

## Check Point SASE Platform configurations

1. Enter the Check Point SASE Management Platform. Under the **Networks** tab in the left menu, select the network name in which you'd like to set the Tunnel.
2. Locate the desired gateway, select the three-dotted menu (...), **Add Tunnel,** and then **IPSec Site-2-Site Tunnel**.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-11-09%20at%204.21.49%20PM.png)
3. In the **General Settings section, specify these**:
  - **Name:** Choose whatever name you find suitable for the Tunnel.
  - **Check Point SASE Gateway Proposal Subnets:** Leave **Any (0.0.0.0/0**) selected here.
  - **Remote Gateway Proposal Subnets**: Leave **Any (0.0.0.0/0**) set here.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/GeneralSet_KeyExchange_Any_Any(1).PNG)
4. At the **Advanced Settings** section, specify these:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Cisco%20ASA_512_521(1).PNG)
  - **IKE Version:** V2
  - **IKE Lifetime:** 8h
  - **Tunnel Lifetime:** 1h
  - **Dead Peer Detection Delay:** 10s
  - **Dead Peer Detection Timeout:** 30s
  - **Phase 1**:
    - **Encryption****(Phase 1):** aes256
    - **Integrity (Phase 1):** sha512
    - **Key Exchange Method:** ecp521
  - **Phase 2**:
    - **Encryption****(Phase 2):** aes256
    - **Integrity (Phase 2):** sha512
    - **Key Exchange Method:** ecp521  
(Other supported ciphers can be found in [Google article](https://cloud.google.com/network-connectivity/docs/vpn/concepts/supported-ike-ciphers))
5. Select **Add Tunnel**.
6. In the network menu, select the three dots and click on **Routes Table**:![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_6_22__4_18_PM.png)
7. Click the **Add Route** button on the top right, then on this popup, fill out accordingly and click the **Add Route** button:![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1655905978348.png)
  - **Subnets** - Copy the subnets of the regions where your resources are installed. This can be queried in the Google Cloud Console here:![3600089276195.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3600089276195.png)
8. Be sure to click **Apply Configuration** when done.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-06_at_4_20_58_PM.png)

## Configuring the routing rules to the VPC network

1. Go to the **VPC Network** in the **Google Cloud Platform Console**. Under the left menu go to **Routes**.

![360008238659ScreenShot2020-01-21at204737.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360008238659ScreenShot2020-01-21at204737.png) 2. Select **Create Route Rule** and fill in the following information:

![360008238699ScreenShot2020-01-21at205040.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360008238699ScreenShot2020-01-21at205040.png)

- **Name:** The name of the VPN gateway.
- **Network:** The VPC network containing the instances that the VPN gateway will serve (should be the same network as selected in the previous steps).
- **Destination Network IP range:** Specify **10.255.0.0/16** (or customized)
- **Priority:** 1000
- **Next hop:** Select **Specify VPN Tunnel**.
- **Next hop VPN tunnel:** Select the VPN tunnel you created in the previous steps.
- Select **Create**.

## Allowing incoming connections from Check Point SASE local network using firewall rules

1. Go to the **VPC Network** in the **Google Cloud Platform Console**.
2. Under the left menu go to **Firewall Rules**.  
![360008238779ScreenShot2020-01-21at205000.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360008238779ScreenShot2020-01-21at205000.png)
3. Select **Create Firewall Rule** and fill in the following information:  
![360008238899ScreenShot2020-01-21at205728.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360008238899ScreenShot2020-01-21at205728.png)
  - **Name:** Enter a name of your choice.
  - **Logs:** Off
  - **Network:** The VPC network containing the instances the VPN gateway will serve (should be the same network as selected in the previous steps).
  - **Priority:** 1000
  - The direction of traffic should be **Ingress**.  
![360008236720ScreenShot2020-01-21at205317.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360008236720ScreenShot2020-01-21at205317.png)
  - **Action on match:** allow
  - **Target tags:** optional
  - **Source filter:** IP Ranges
  - **Source IP ranges:** 10.255.0.0/16 (unless customized)
  - **Second source filter:** none
  - **Allowed protocols or ports:** all

<meta charset="utf-8">

## Verifying the Setup

After following the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment.

## Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

## Support Contacts

If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.