Ashish Verma | Technical Program Manager | Google

Contributed by Google employees.

Cisco terminology and the Cisco logo are trademarks of Cisco or its affiliates in the United States and/or other countries.

Disclaimer: This interoperability guide is intended to be informational in nature and shows examples only. Customers should verify this information by testing it.

This guide walks you through the process of configuring a route-based VPN tunnel between Cisco ASA 5506H and the HA VPN service on Google Cloud.

For more information about HA and Classic VPN, see the Cloud VPN overview.

Below are definitions of terms used throughout this guide.

• Google Cloud VPC network: A single virtual network within a single Google Cloud project.
• On-premises gateway: The VPN device on the non- Google Cloud side of the connection, which is usually a device in a physical data center or in another cloud provider's network. Google Cloud instructions are written from the point of view of the Google Cloud VPC network, so on-premises gateway refers to the gateway that's connecting to Google Cloud.
• External IP address or Google Cloud peer address: External IP addresses used by peer VPN devices to establish HA VPN with Google Cloud. External IP addresses are allocated automatically, one for each gateway interface within a Google Cloud project.
• Dynamic routing: Google Cloud dynamic routing for VPN using the Border Gateway Protocol (BGP). Note that HA VPN only supports dynamic routing.
• VTI: The ASA supports a logical interface called Virtual Tunnel Interface (VTI). A VPN tunnel can be created between peers with Virtual Tunnel Interfaces configured.

HA VPN supports multiple topologies.

This interop guide is based on the 1-peer-2-address topology.

The Cisco ASA 5506H equipment used in this guide is as follows:

• Vendor: Cisco
• Model: ASA 5506H
• Software release: 9.9.2

1. Review information about how dynamic routing works in Google Cloud.

2. Make sure that your peer VPN gateway supports BGP.

3. For IKEv2 route-based VPN using VTI on ASA: Make sure that the code version is 9.8(1) or later.

4. Select or create a Google Cloud project.

5. Make sure that billing is enabled for your Google Cloud project.

6. Install and initialize the Cloud SDK.

7. If you are using gcloud commands, set your project ID with the following command:

   gcloud config set project [PROJECT_ID]
   

   The gcloud instructions on this page assume that you have set your project ID before issuing commands.

8. You can also view a project ID that has already been set:

   gcloud config list --format='text(core.project)'
   

There are no additional licenses required for site-to-site VPN on Cisco ASA 5506H.

The gcloud commands in this guide include parameters whose value you must provide. For example, a command might include a Google Cloud project name or a region or other parameters whose values are unique to your context. The following table lists the parameters and gives examples of the values used in this guide:

This section covers how to configure HA VPN.

There are two ways to create HA VPN gateways on Google Cloud: using the Cloud Console and using gcloud commands.

This section describes how to perform the tasks using gcloud commands.

Complete the following procedures before configuring a Google Cloud HA VPN gateway and tunnel.

These instructions create a custom mode VPC network with one subnet in one region and another subnet in another region.

If you haven't already, create a VPC network with this command:

gcloud compute networks create [NETWORK] \
--subnet-mode [SUBNET_MODE]  \
--bgp-routing-mode [BGP_ROUTING_MODE]

Replace the placeholders as follows:

• [NETWORK]: Assign a network name.
• [SUBNET_MODE]: Set as custom.
• [BGP_ROUTING_MODE]: Set as global.

The command should look similar to the following example:

gcloud compute networks create network-a \
--subnet-mode custom  \
--bgp-routing-mode global

Create two subnets:

gcloud compute networks subnets create [SUBNET_NAME_1]  \
--network [NETWORK] \
--region [REGION_1] \
--range [RANGE_1]

gcloud compute networks subnets create [SUBNET_NAME_2] \
--network [NETWORK] \
--region [REGION_2] \
--range [RANGE_2]

The commands should look similar to the following example:

gcloud compute networks subnets create subnet-a-central  \
--network network-a \
--region us-central1 \
--range 10.0.1.0/24

gcloud compute networks subnets create subnet-a-west \
--network network-a \
--region us-west1 \
--range 10.0.2.0/24

Create the HA VPN gateway:

gcloud compute vpn-gateways create [GW_NAME] \
--network [NETWORK] \
--region [REGION]

The command should look similar to the following example:

gcloud compute vpn-gateways create ha-vpn-gw-a \
--network network-a \
--region us-central1

When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.

Create a Cloud Router:

gcloud compute routers create [ROUTER_NAME] \
--region [REGION] \
--network [NETWORK] \
--asn [GOOGLE_ASN]

Replace the placeholders as follows:

• [ROUTER_NAME]: The name of the new Cloud Router, which you must create in the same Google Cloud region as the Cloud HA VPN gateway.
• [GOOGLE_ASN]: Any private ASN (64512-65534, 4200000000-4294967294) that you are not already using in the peer network. The Google ASN is used for all BGP sessions on the same Cloud Router, and it cannot be changed later.

The command should look similar to the following example:

gcloud compute routers create router-a \
--region us-central1 \
--network network-a \
--asn 65001

Create an external VPN gateway resource that provides information to Google Cloud about your peer VPN gateway or gateways. Depending on the HA recommendations for your peer VPN gateway, you can create external VPN gateway resources for the following different types of on-premises VPN gateways:

• Two separate peer VPN gateway devices, where the two devices are redundant with each other and each device has its own public IP address.
• A single peer VPN gateway that uses two separate interfaces, each with its own public IP address. For this kind of peer gateway, you can create a single external VPN gateway with two interfaces.
• A single peer VPN gateway with a single public IP address.

This interop guide only covers the second option (one peer, two addresses).

gcloud compute external-vpn-gateways create [PEER_GW_NAME] \
--interfaces 0=[ON_PREM_GW_IP_0],1=[ON_PREM_GW_IP_1] \

The command should look similar to the following example:

gcloud compute external-vpn-gateways create peer-gw   \
 --interfaces 0=209.119.81.225,1=209.119.82.226

gcloud compute vpn-tunnels create [TUNNEL_NAME_IF0] \
--peer-external-gateway [PEER_GW_NAME] \
--peer-external-gateway-interface [PEER_EXT_GW_IF0]  \
--region [REGION] \
--ike-version [IKE_VERS] \
--shared-secret [SHARED_SECRET] \
--router [ROUTER_NAME] \
--vpn-gateway [GW_NAME] \
--interface [INT_NUM_0]

gcloud compute vpn-tunnels create [TUNNEL_NAME_IF1] \
--peer-external-gateway [PEER_GW_NAME] \
--peer-external-gateway-interface [PEER_EXT_GW_IF1] \
--region [REGION] \
--ike-version [IKE_VERS] \
--shared-secret [SHARED_SECRET] \
--router [ROUTER_NAME] \
--vpn-gateway [GW_NAME] \
--interface [INT_NUM_1]

The command should look similar to the following example:

gcloud compute vpn-tunnels create tunnel-a-to-on-prem-if-0 \
--peer-external-gateway peer-gw \
--peer-external-gateway-interface 0  \
--region us-central1 \
--ike-version 2 \
--shared-secret mysharedsecret \
--router router-a \
--vpn-gateway ha-vpn-gw-a \
--interface 0

gcloud compute vpn-tunnels create tunnel-a-to-on-prem-if-1 \
--peer-external-gateway peer-gw \
--peer-external-gateway-interface 1  \
--region us-central1 \
--ike-version 2 \
--shared-secret mysharedsecret \
--router router-a \
--vpn-gateway ha-vpn-gw-a \
--interface 1

Create a Cloud Router BGP interface and BGP peer for each tunnel you previously configured on the HA VPN gateway interfaces.

You can choose the automatic or manual configuration method of configuring BGP interfaces and BGP peers. This example uses the automatic method.

1. For the first VPN tunnel, add a new BGP interface to the Cloud Router:

   gcloud compute routers add-interface [ROUTER_NAME] \
   --interface-name [ROUTER_INTERFACE_NAME_0] \
   --mask-length [MASK_LENGTH] \
   --vpn-tunnel [TUNNEL_NAME_0] \
   --region [REGION]
   

   The command should look similar to the following example:

   gcloud compute routers add-interface router-a \
   --interface-name if-tunnel-a-to-on-prem-if-0 \
   --mask-length 30 \
   --vpn-tunnel tunnel-a-to-on-prem-if-0 \
   --region us-central1
   

2. Add a BGP peer to the interface for the first tunnel:

   gcloud compute routers add-bgp-peer [ROUTER_NAME] \
   --peer-name [PEER_NAME] \
   --peer-asn [PEER_ASN] \
   --interface [ROUTER_INTERFACE_NAME_0] \
   --region [REGION] \
   

   The command should look similar to the following example:

   gcloud compute routers add-bgp-peer router-a \
   --peer-name peer-b \
   --peer-asn 65002 \
   --interface if-tunnel-a-to-on-prem-if-0 \
   --region us-central1
   

3. For the second VPN tunnel, add a new BGP interface to the Cloud Router:

   gcloud compute routers add-interface [ROUTER_NAME] \
   --interface-name [ROUTER_INTERFACE_NAME_1] \
   --mask-length [MASK_LENGTH] \
   --vpn-tunnel [TUNNEL_NAME_1] \
   --region [REGION]
   

   The command should look similar to the following example:

   gcloud compute routers add-interface router-a \
   --interface-name if-tunnel-a-to-on-prem-if-1 \
   --mask-length 30 \
   --vpn-tunnel tunnel-a-to-on-prem-if-1 \
   --region us-central1
   

4. Add a BGP peer to the interface for the second tunnel:

   gcloud compute routers add-bgp-peer [ROUTER_NAME] \
   --peer-name [PEER_NAME] \
   --peer-asn [PEER_ASN] \
   --interface [ROUTER_INTERFACE_NAME_1] \
   --region [REGION]
   

   The command should look similar to the following example:

   gcloud compute routers add-bgp-peer router-a \
   --peer-name peer-a \
   --peer-asn 65002 \
   --interface if-tunnel-a-to-on-prem-if-1 \
   --region us-central1
   

5. Verify the Cloud Router configuration

   gcloud compute routers get-status router-a \
    --region us-central1 \
    --format='flattened(result.bgpPeerStatus[].name,
      result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
   
   gcloud compute routers describe router-a \
   --region us-central1
   

Configure firewall rules to allow inbound traffic from the on-premises network subnets:

gcloud compute firewall-rules create [VPN_RULE_NAME] \
--network [NETWORK] \
--allow tcp,udp,icmp \
--source-ranges [IP_ON_PREM_SUBNET]

The command should look similar to the following example:

gcloud compute firewall-rules create on-prem-to-network-a \
--network network-a \
--allow tcp,udp,icmp \
--source-ranges 192.168.1.0/24

You must also configure the on-premises network firewall to allow inbound traffic from your VPC subnet prefixes.

For the 1-peer-2-address topology, configure a minimum of three interfaces, named outside-0, outside-1, and inside. Outside interfaces are connected to the internet; the inside interface is connected to the private network.

Enter the configuration mode to create the base Layer 3 network configuration for the Cisco system, replacing the IP addresses based on your environment:

configure terminal
interface GigabitEthernet1/1
 nameif outside-0
 security-level 0
 ip address 209.119.81.225 255.255.255.248
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 nameif outside-1
 security-level 0
 ip address 209.119.82.226 255.255.255.248
!

Follow the procedures in this section to create the base VPN configuration.

Make sure to configure ciphers supported by Google Cloud only.

Enter the configuration mode on Cisco ASA and create IKEv2 policies.

crypto ikev2 policy 10
 encryption aes-gcm-256
 group 14
 prf sha512 sha384 sha256 sha
 lifetime seconds 36000
crypto ikev2 enable outside-0
crypto ikev2 enable outside-1

crypto ipsec ikev2 ipsec-proposal GCP
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-512

crypto ipsec profile GCP
 set ikev2 ipsec-proposal GCP
 set pfs group14
 set security-association lifetime seconds 10800
 set security-association lifetime kilobytes unlimited

Tunnel group parameters set the access policies and protocol-specific connection parameters for the IPSec tunnel. The first command sets the tunnel type to ipsec-l2l (site-to-site or, in Cisco terms, lan-to-lan). The next command block sets the general-attributes for the IPSec tunnel. In this case the default-group-policy for the tunnel is being set to the policy named GCP and the ipsec-attributes for the tunnel are being set.

group-policy GCP internal
group-policy GCP attributes
 vpn-tunnel-protocol ikev2 

tunnel-group 35.242.106.213 type ipsec-l2l
tunnel-group 35.242.106.213 general-attributes
 default-group-policy GCP
tunnel-group 35.242.106.213 ipsec-attributes
 isakmp keepalive threshold 10 retry 3
 ikev2 remote-authentication pre-shared-key mysharedsecret
 ikev2 local-authentication pre-shared-key mysharedsecret

tunnel-group 35.220.86.219 type ipsec-l2l
tunnel-group 35.220.86.219 general-attributes
 default-group-policy GCP
tunnel-group 35.220.86.219 ipsec-attributes
 isakmp keepalive threshold 10 retry 3
 ikev2 remote-authentication pre-shared-key mysharedsecret
 ikev2 local-authentication pre-shared-key mysharedsecret

VTI allows route-based VPNs on Cisco ASA. This configuration creates two VTIs with interface name and ipsec configurations:

interface Tunnel10
 nameif gcp-if-0
 ip address 169.254.163.218 255.255.255.252 
 tunnel source interface outside-0
 tunnel destination 35.242.106.213
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile GCP
!
interface Tunnel20
 nameif gcp-if-1
 ip address 169.254.92.230 255.255.255.252 
 tunnel source interface outside-1
 tunnel destination 35.220.86.219
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile GCP
!

Follow the procedure in this section to configure dynamic routing for traffic through the VPN tunnel or tunnels using the BGP routing protocol. This configuration will use ECMP to load-balance the traffic between the two tunnels.

Configure prefix lists to limit the inbound and outbound prefix advertisement:

prefix-list GCP-IN seq 5 permit 10.0.1.0/24 le 32
prefix-list GCP-IN seq 6 permit 10.0.2.0/24 le 32
prefix-list GCP-OUT seq 5 permit 192.168.1.0/24 le 32

Configure BGP peers to dynamically exchange prefixes between on-premises and Google Cloud:

router bgp 65002
 bgp log-neighbor-changes
 bgp graceful-restart
 bgp router-id 192.168.1.1
 address-family ipv4 unicast
  neighbor 169.254.163.217 remote-as 65001
  neighbor 169.254.163.217 ebgp-multihop 2
  neighbor 169.254.163.217 activate
  neighbor 169.254.163.217 prefix-list GCP-IN in
  neighbor 169.254.163.217 prefix-list GCP-OUT out
  neighbor 169.254.163.217 maximum-prefix 100 70
  neighbor 169.254.92.229 remote-as 65001
  neighbor 169.254.92.229 ebgp-multihop 2
  neighbor 169.254.92.229 activate
  neighbor 169.254.92.229 prefix-list GCP-IN in
  neighbor 169.254.92.229 prefix-list GCP-OUT out
  neighbor 169.254.92.229 maximum-prefix 100 70
  network 192.168.1.0
  maximum-paths 2
  no auto-summary
  no synchronization
 exit-address-family
!

Create an access list to allow traffic from Google Cloud and apply on tunnel interfaces.

access-list GCP-IN extended permit ip any any 
access-group GCP-IN in interface gcp-if-0
access-group GCP-IN in interface gcp-if-0 control-plane
access-group GCP-IN in interface gcp-if-1
access-group GCP-IN in interface gcp-if-1 control-plane

Save the on-premises configuration:

write memory

CISCO-ASA5506H-001# sh crypto ikev2 sa  detail

IKEv2 SAs:

Session-id:100, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                   Remote                Status         Role
1738689761 209.119.81.225/500     35.220.72.68/500       READY    INITIATOR
      Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 36000/24695 sec
      Session-id: 100
      
CISCO-ASA5506H-001# sh crypto ipsec sa detail
interface: tunnel-a
    Crypto map tag: __vti-crypto-map-4-0-10, seq num: 65280, local addr: 209.119.81.225

  local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  current_peer: 35.242.111.74

It's important to test the VPN connection from both sides of a VPN tunnel. For either side, make sure that the subnet that a machine or virtual machine is located in is being forwarded through the VPN tunnel.

1. Create a VM on Google Cloud, configuring the VMs on a subnet that will pass traffic through the VPN tunnel:

   gcloud compute instances create test-vpn-tunnel-1 --subnet=subnet-a-central \
   --machine-type=f1-micro --image-family=debian-9 --image-project=debian-cloud --no-address      
   

2. After you have deployed VMs on Google Cloud and on-premises, you can use an ICMP echo (ping) test to test network connectivity through the VPN tunnel.

   On the Google Cloud side, use the following instructions to test the connection to a machine that's behind the on-premises gateway:

   1. In the Cloud Console, go to the VM Instances page.

   2. Find the Google Cloud virtual machine you created.

   3. In the Connect column, click SSH. A Cloud Shell window opens at the VM command line.

   4. Ping a machine that's behind the on-premises gateway.

      CISCO-ASA5506H-001#ping 10.0.1.3 source 192.168.1.1
      Type escape sequence to abort.
      Sending 5, 100-byte ICMP Echos to 10.0.1.3, timeout is 2 seconds:
      Packet sent with a source address of 192.168.1.1
      !!!!!
      Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/20 ms
      

See the following Cisco ASA 5506H documentation and Cloud VPN documentation for additional information about both products.

To learn more about Google Cloud networking, see the following documents:

• VPC networks
• Cloud VPN overview
• Advanced Cloud VPN configurations
• Check VPN status
• Terraform template for HA VPN
• Troubleshooting Cloud VPN
• Create a virtual machine on Google Cloud

• ASA Virtual Tunnel Interface
• ASA site2site VPN