Configuring a Site-to-Site IPSec Tunnel to Google Cloud Platform

In order to establish Site-To-Site IPSEC VPN connection between GCP and Perimeter 81 please follow the steps below:

 

Initial Google Cloud Platform Configuration

GCP includes few steps throughout the configuration and needs to be applied for every VPC.

1. Create Virtual Private Gateway

  • Go to the Hybrid Connectivity in the Google Cloud Platform Console.
  • Under the left menu go to VPN, Select Cloud VPN Gateways, then create VPN Gateway.

    Screen_Shot_2020-01-21_at_17.53.46.png
  • Select Classic VPN. 

    Screen_Shot_2020-01-21_at_17.59.22.png
  • Fill in according to the following:Screen_Shot_2020-01-21_at_18.03.16.png
    • Name: Choose an indicative name of your own choice.
    • Network: Select default or a specific VPC.
    • Region: Preferably the region in which your resources lie.
    • IP Address: Create an IP address that will serve in order to connect your Perimeter 81 gateway.
      Screen_Shot_2020-01-21_at_20.11.08.png

2. Create a Tunnel

  • Move on the lower part of the page. Fill in according to the following:

    Screen_Shot_2020-01-21_at_20.18.29.png
    • Name: Choose an indicative name of your own choice.
    • Remote peer IP address: Enter your Perimeter 81 Gateway IP (in order to obtain this, open the Perimeter 81 Platform, and under Network select the network that contains the gateway to which you'd like to create a tunnel).

      mceclip0.png 
    • IKE Version: IKEv2

      Screen_Shot_2020-01-21_at_20.30.40.png
    • IKE pre-shared key: Select Generate and copy or choose a key of your own and write it down.
    • Routing options: Route-based
    • Remote network IP ranges: 10.255.0.0/16 (unless customised)
  • Select done, then create.

Perimeter 81 Platform Platform Configurations

1. Enter the Perimeter 81 Management Platform. Under the Network tab in the left menu, select the name of the network in which you'd like to set the tunnel.

2. Locate the desired gateway, select the three-dotted menu (...), select Add Tunnel and then IPSec Site-2-Site Tunnel.Screen_Shot_2019-08-27_at_14.06.15.png

3. Fill in according to the following:

Screen_Shot_2020-01-21_at_17.04.31.png

  • Name: Choose a name of your own choice.
  • Shared secret: Enter the same IKE pre-shared key you inserted or generated in the Google Cloud Console.
  • Public IP: Enter the VPN Gateway IP from the Google Cloud Console.
  • Remote Gateway Proposal Subnets: Select Specified Subnets. Copy the subnets of the regions where you resources are installed. This can be queried in the Google Cloud Console here:

mceclip0.png

4. Fill in the Advanced Settings:

Screen_Shot_2020-01-21_at_20.45.00.png

  • IKE Version: V2
  • IKE Lifetime: 8h
  • Tunnel Lifetime: 1h
  • Dead Peer Detection Delay: 10s
  • Dead Peer Detection Timeout: 30s
  • Encryption (Phase 1): aes256
  • Integrity (Phase 1): sha1
  • Diffie-Hellman Groups (Phase 1): 2
  • Encryption (Phase 2): aes256
  • Integrity (Phase 2): sha1
  • Diffie-Hellman Groups (Phase 2): 2

Configure the Routing Rules to the VPC network

1. Go to the VPC Network in the Google Cloud Platform Console. Under the left menu go to Routes.

Screen_Shot_2020-01-21_at_20.47.37.png

2. Select Create Route Rule and fill in according to the following:

Screen_Shot_2020-01-21_at_20.50.40.png

  • Name: The name of the VPN gateway.
  • Network: The VPC network containing the instances that the VPN gateway will serve (should be the same network as selected in the previous steps).
  • Destination Network IP range —  Specify 10.255.0.0/16 (or customised)
  • Priority: 1000
  • Next hop: Select Specify VPN Tunnel.
  • Next hop VPN tunnel: Select the VPN tunnel you created in the previous steps.
  • Select Create.

Allow income connections from Perimeter 81 local network using the firewall rules

1. Go to the VPC Network in the Google Cloud Platform Console.

2. Under the left menu go to Firewall Rules.

Screen_Shot_2020-01-21_at_20.50.00.png

3. Select Create Firewall Rule and fill in according to the following:

Screen_Shot_2020-01-21_at_20.57.28.png

  • Name: Choose a name of your own choice.
  • Logs: Off
  • Network: The VPC network containing the instances the VPN gateway will serve (should be the same network as selected in the previous steps).
  • Priority: 1000
  • The direction of traffic should be Ingress.
    Screen_Shot_2020-01-21_at_20.53.17.png
  • Action on match: allow
  • Target tags: optional
  • Source filter: IP Ranges
  • Source IP ranges: 10.255.0.0/16 (unless customised)
  • Second source filter: none
  • Allowed protocols or ports: all

4. Select Create.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.