Creating a VPN

This page walks you through creating a Google Cloud VPN gateway and tunnel using static routes. See the Cloud Router documentation for creating VPNs based on dynamic routes. The VPN Overview describes the concepts of Cloud VPN.

For guides detailing VPN setup between GCP and other vendors or providers, see the Interoperability Guides.

Before you begin

Choosing your GCP network configuration

Depending on your GCP network and how many regions you want to connect, the initial procedure is somewhat different. Choose one of the options here to get started.

Simple setup

The simplest way to set up a VPN is to configure the VPN tunnel accept all traffic routed through it and to rely on network routes to route only the correct traffic through the tunnel. This is called route-based VPN, and it is the easiest way to configure IKE and the most flexible setup if the subnet sizes are subject to change.

This procedure uses the --remote-traffic-selector parameter on the VPN tunnel create command to tell the tunnel to accept traffic from any IP address (0.0.0.0/0), which simplifies IKE setup.

Console


Not yet available. Please see the gcloud command-line tool instructions instead.

gcloud


  1. Create a VPN gateway in the desired region. Normally, this is the region that contains the instances you wish to reach. This step creates an unconfigured VPN gateway named vpn1 in your GCP network.

    gcloud compute target-vpn-gateways create vpn1 \
      --network [NETWORK] \
      --region us-central1
    

    NAME NETWORK   REGION
    vpn1 [NETWORK] us-central1

  2. Reserve a static IP address in the GCP network and region where you created the VPN gateway. Make a note of the created address for use in future steps.

    gcloud compute --project [PROJECT_ID] addresses create \
        --region us-central1 vpn-static-ip
    
  3. Create a forwarding rule that forwards ESP traffic toward the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step generates a forwarding rule named fr-esp.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-esp \
        --region us-central1 \
        --ip-protocol ESP \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    
  4. Create a forwarding rule that forwards UDP:500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step creates a forwarding rule named fr-udp500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp500 \
       --region us-central1 \
       --ip-protocol UDP \
       --ports 500 \
       --address [VPN_STATIC_IP_ADDRESS] \
       --target-vpn-gateway vpn1
    
  5. Create a forwarding rule that forwards UDP:4500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] reserved earlier. This step creates a forwarding rule named fr-udp4500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp4500 \
        --region us-central1 \
        --ip-protocol UDP \
        --ports 4500 \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    
  6. Create a VPN tunnel on the Cloud VPN Gateway that points toward the external IP address [CUST_GW_EXT_IP] of your peer VPN gateway. You also need to supply the shared secret. The default, and preferred, IKE version is 2. If you need to set it to 1, use --ike_version 1. The following example sets IKE version to 2. Setting --remote-traffic-selector and --local-traffic-selector to 0.0.0.0/0 configures the tunnel to pass any traffic routed to it. When using this configuration, you will want to configure the peer side of the tunnel the same way. After you run this command, resources are allocated for this VPN tunnel, but it will not pass traffic until routes are configured to forward it traffic, firewalls are opened, and the peer router is configured.

    gcloud compute --project [PROJECT_ID] vpn-tunnels create tunnel1 \
        --peer-address [CUST_GW_EXT_IP] \
        --region us-central1 \
        --ike-version 2 \
        --shared-secret [SHARED_SECRET] \
        --target-vpn-gateway vpn1 \
        --local-traffic-selector 0.0.0.0/0 \
        --remote-traffic-selector 0.0.0.0/0
    
  7. Use a static route to forward traffic to the destination range of IP addresses ([CIDR_DEST_RANGE]) in your local network. You can repeat this command to add multiple ranges to the VPN tunnel. The region must be the same as for the tunnel.

    gcloud compute --project [PROJECT_ID] routes create route1 \
        --network [NETWORK] \
        --next-hop-vpn-tunnel tunnel1 \
        --next-hop-vpn-tunnel-region us-central1 \
        --destination-range [CIDR_DEST_RANGE]
    
  8. Configure your firewall rules.

Creating a gateway and a tunnel for an auto subnet network using only the gateway subnet

By default, the VPN tunnel in an auto subnet network forwards traffic only from the subnet containing the gateway. Use this procedure if that is what you want to set up.

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Click Create VPN connection.
  3. Populate the following fields for the gateway:
    • Name — The name of the VPN gateway. This name is displayed in the console and used in by the gcloud tool to reference the gateway.
    • Network — The GCP network containing the instances the VPN gateway will serve.
    • Region — The region where you want to locate the VPN gateway. Normally, this is the region that contains the instances you wish to reach. Example: us-central1
    • IP address — Select a pre-existing static external IP address. If you don't have a static external IP address, you can create one by clicking New static IP address in the pull-down menu.
  4. Populate fields for at least one tunnel:
    • Peer IP address — Public IP address of the peer gateway. This is the public IP address of the other VPN gateway, not the one you are currently configuring.
    • IKE version — IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.
    • Shared secret — Used in establishing encryption for that tunnel. You must enter the same shared secret into both VPN gateways. If the VPN gateway device on the other side of the tunnel doesn't generate one automatically, you can make one up.
    • Remote network IP range — The range, or ranges, of the peer network, which is the network on the other side of the tunnel from the Cloud VPN gateway you are currently configuring.
    • Local subnetworks — Specifies which IP ranges will be routed through the tunnel. This value cannot be changed after the tunnel is created because it is used in the IKE handshake.
      • Select the gateway's entire subnet in the pull-down menu. Or, you can leave it blank since the local subnet is the default.
      • Leave Local IP ranges blank except for the gateway's subnet.
  5. Click Add tunnel only if you want to add more tunnels.
  6. Click Create to create the gateway and initiate all tunnels, though tunnels will not connect until you've completed the additional steps below.
    This step automatically creates a network-wide route and necessary forwarding rules for the tunnel.
  7. Configure your firewall rules.

gcloud


For all steps, replace [PROJECT_ID] with the your project's system-generated ID.

  1. Choose or create an auto subnet network. Consult the table of auto subnetwork IP ranges to confirm that the subnet for the region does not conflict with the peer network. If it does, you can either create a custom network, use a legacy network, or change the IP range of the peer network.

    gcloud compute --project [PROJECT_ID] networks create \
        --mode auto [NETWORK]
    
  2. Create a VPN gateway in the desired region. Normally, this is the region that contains the instances you wish to reach. This step creates an unconfigured VPN gateway named vpn1 in your GCP network.

    gcloud compute target-vpn-gateways create vpn1 \
      --network [NETWORK] \
      --region us-central1
    

    NAME NETWORK   REGION
    vpn1 [NETWORK] us-central1

  3. Reserve a static IP address in the GCP network and region where you created the VPN gateway. Make a note of the created address for use in future steps.

    gcloud compute --project [PROJECT_ID] addresses create \
        --region us-central1 vpn-static-ip
    

    NAME          REGION      ADDRESS         STATUS
    vpn-static-ip us-central1 [VPN_STATIC_IP_ADDRESS]      RESERVED

    vpn-static-ip ~> [VPN_STATIC_IP_ADDRESS]

  4. Create a forwarding rule that forwards ESP traffic toward the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step generates a forwarding rule named fr-esp.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-esp \
        --region us-central1 \
        --ip-protocol ESP \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME   REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-esp us-central1 [VPN_STATIC_IP_ADDRESS]      ESP         us-central1/targetVpnGateways/vpn1

  5. Create a forwarding rule that forwards UDP:500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step creates a forwarding rule named fr-udp500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp500 \
       --region us-central1 \
       --ip-protocol UDP \
       --ports 500 \
       --address [VPN_STATIC_IP_ADDRESS] \
       --target-vpn-gateway vpn1
    

    NAME      REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  6. Create a forwarding rule that forwards UDP:4500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] reserved earlier. This step creates a forwarding rule named fr-udp4500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp4500 \
        --region us-central1 \
        --ip-protocol UDP \
        --ports 4500 \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME       REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp4500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  7. Create a VPN tunnel on the Cloud VPN Gateway that points toward the external IP address [CUST_GW_EXT_IP] of your peer VPN gateway. You also need to supply the shared secret. The default, and preferred, IKE version is 2. If you need to set it to 1, use --ike_version 1. The following example sets IKE version to 2. After you run this command, resources are allocated for this VPN tunnel, but it is not yet passing traffic.

    gcloud compute --project [PROJECT_ID] vpn-tunnels create tunnel1 \
        --peer-address [CUST_GW_EXT_IP] \
        --region us-central1 \
        --ike-version 2 \
        --shared-secret [SHARED_SECRET] \
        --target-vpn-gateway vpn1
    

    NAME    REGION      GATEWAY PEER_ADDRESS
    tunnel1 us-central1 vpn1    [CUST_GW_EXT_IP]

  8. Use a static route to forward traffic to the destination range of IP addresses ([CIDR_DEST_RANGE]) in your local network. You can repeat this command to add multiple ranges to the VPN tunnel. The region must be the same as for the tunnel.

    gcloud compute --project [PROJECT_ID] routes create route1 \
        --network [NETWORK] \
        --next-hop-vpn-tunnel tunnel1 \
        --next-hop-vpn-tunnel-region us-central1 \
        --destination-range [CIDR_DEST_RANGE]
    

    NAME   NETWORK   DEST_RANGE       NEXT_HOP PRIORITY
    route1 [NETWORK] [CIDR_DEST_RANGE]         1000

  9. Configure your firewall rules.

Creating a gateway and a tunnel for an auto subnet network and more than one subnet

By default, the VPN tunnel in an auto subnet network forwards traffic only from the subnet containing the gateway. If you wish to forward traffic from other subnets, use this procedure.

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Click Create VPN connection.
  3. Populate the following fields for the gateway:
    • Name — The name of the VPN gateway. This name is displayed in the console and used by the gcloud command-line tool to reference the gateway.
    • Network — The GCP network containing the instances the VPN gateway will serve.
    • Region — The region where you want to locate the VPN gateway. Normally, this is the region that contains the instances you want to reach. Example: us-central1
    • IP address — Select a pre-existing static external IP address. If you don't have a static external IP address, you can create one by clicking New static IP address in the pull-down menu.
  4. Populate fields for at least one tunnel:
    • Peer IP address — Public IP address of the peer gateway. This is the public IP address of the other VPN gateway, not the one you are currently configuring.
    • IKE version — IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.
    • Shared secret — Used in establishing encryption for the tunnel. You must enter the same shared secret into both VPN gateways. If the VPN gateway device on the other side of the tunnel doesn't generate one automatically, you can make one up.
    • Remote network IP range — The range, or ranges, of the peer network, which is the network on the other side of the tunnel from the Cloud VPN gateway you are currently configuring.
    • Local subnetworks — Specifies which IP ranges will be routed through the tunnel. This value cannot be changed after the tunnel is created because it is used in the IKE handshake.
      • If you want the gateway's entire subnet to be able to use the tunnel, select it in the pull-down menu. If you only want a smaller prefix to use the tunnel, or you only want other ranges to use the tunnel, skip the pull-down menu.
      • If you want other ranges to be able to use the tunnel, specify those ranges in the Local IP ranges field.
  5. Click Add tunnel only if you want to add more tunnels.
  6. Click Create to create the Gateway and initiate all tunnels, though tunnels will not connect until you've completed the additional steps below.
    This step automatically creates a network-wide route and necessary forwarding rules for the tunnel.
  7. Configure your firewall rules.

gcloud


For all steps, replace [PROJECT_ID] with the your project's system-generated ID.

  1. Choose or create an auto subnet network. Consult the table of auto subnetwork IP ranges to confirm that the subnet for the region does not conflict with the peer network. If it does, you can either create a custom network, use a legacy network, or change the IP range of the peer network.

    gcloud compute --project [PROJECT_ID] networks create \
        --mode auto [NETWORK]
    
  2. Create a VPN gateway in the desired region. Normally, this is the region that contains the instances you want to reach. This step creates an unconfigured VPN gateway named vpn1 in your GCP network.

    gcloud compute target-vpn-gateways create vpn1 \
      --network [NETWORK] \
      --region us-central1
    

    NAME NETWORK   REGION
    vpn1 [NETWORK] us-central1

  3. Reserve a static IP address in the GCP network and region where you created the VPN gateway. Make a note of the created IP address for use in future steps.

    gcloud compute --project [PROJECT_ID] addresses create \
        --region us-central1 vpn-static-ip
    

    NAME          REGION      ADDRESS         STATUS
    vpn-static-ip us-central1 [VPN_STATIC_IP_ADDRESS]      RESERVED

    vpn-static-ip ~> [VPN_STATIC_IP_ADDRESS]

  4. Create a forwarding rule that forwards ESP traffic toward the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step generates a forwarding rule named fr-esp.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-esp \
        --region us-central1 \
        --ip-protocol ESP \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME   REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-esp us-central1 [VPN_STATIC_IP_ADDRESS]      ESP         us-central1/targetVpnGateways/vpn1

  5. Create a forwarding rule that forwards UDP:500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step creates a forwarding rule named fr-udp500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp500 \
       --region us-central1 \
       --ip-protocol UDP \
       --ports 500 \
       --address [VPN_STATIC_IP_ADDRESS] \
       --target-vpn-gateway vpn1
    

    NAME      REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  6. Create a forwarding rule that forwards UDP:4500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] reserved earlier. This step creates a forwarding rule named fr-udp4500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp4500 \
        --region us-central1 \
        --ip-protocol UDP \
        --ports 4500 \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME       REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp4500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  7. Use the --local-traffic-selector field and a comma-separated list of IP prefixes to specify all the GCP subnets you want to include in the tunnel, since you want to forward more than one subnet to the tunnel. If you want to include the subnet local to the tunnel, you must list it explicitly.

    gcloud compute --project [PROJECT_ID] vpn-tunnels create tunnel1 \
        --peer-address [CUST_GW_EXT_IP] \
        --region us-central1 \
        --ike-version 2 \
        --shared-secret [SHARED_SECRET] \
        --local-traffic-selector 10.128.0.0/16,10.130.0.0/16 \
        --target-vpn-gateway vpn1
    
  8. Create routes to forward traffic to the tunnel. First, add a common tag to all your instances in both subnets. You can do this at instance creation or after instance creation. You can also add tags through instance templates.

    gcloud compute instances add-tags example-instance-subnet-a \
        --tags tag-subnet-a
    
    gcloud compute instances add-tags example-instance-subnet-b \
        --tags tag-subnet-b
    
  9. Use the tags you just created to add a static route to all the instances in the subnetworks. This route has as destination peer prefix [CIDR_DEST_RANGE] and a next hop of tunnel1.

    gcloud compute --project [PROJECT_ID] routes create route1 \
        --network [NETWORK] \
        --next-hop-vpn-tunnel tunnel1 \
        --next-hop-vpn-tunnel-region us-central1 \
        --destination-range [CIDR_DEST_RANGE] \
        --tags tag-subnet-a,tag-subnet-b
    
  10. Configure your firewall rules.

Creating a gateway and a tunnel for a custom subnet network

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Click Create VPN connection.
  3. Populate the following fields for the gateway:
    • Name — The name of the VPN gateway. This name is displayed in the console and used by the gcloud command-line tool to reference the gateway.
    • Network — The GCP network containing the instances the VPN gateway will serve.
    • Region — The region where you want to locate the VPN gateway. Normally, this is the region that contains the instances you wish to reach. Example: us-central1
    • IP address — Select a pre-existing static external IP address. If you don't have a static external IP address, you can create one by clicking New static IP address in the pull-down menu.
  4. Populate fields for at least one tunnel:
    • Peer IP address — Public IP address of the peer gateway. This is the public IP address of the other VPN gateway, not the one you are currently configuring.
    • IKE version — IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.
    • Shared secret — Used in establishing encryption for that tunnel. You must enter the same shared secret into both VPN gateways. If the VPN gateway device on the other side of the tunnel doesn't generate one automatically, you can make one up.
    • Remote network IP range — The range, or ranges, of the peer network, which is the network on the other side of the tunnel from the Cloud VPN gateway you are currently configuring.
    • Local subnetworks — Specifies which IP ranges will be routed through the tunnel. This value cannot be changed once the tunnel is created because it is used in the IKE handshake.
      • If you want the gateway's entire subnet to be able to use the tunnel, select it in the pull-down menu. If you only want a smaller prefix to use the tunnel, or you only want other ranges to use the tunnel, skip the pull-down menu.
      • If you want other ranges to be able to use the tunnel, specify those ranges in the Local IP ranges field.
  5. Click Add tunnel only if you want to add more tunnels.
  6. Click Create to create the Gateway and initiate all tunnels, though tunnels will not connect until you've completed the additional steps below.
    This step automatically creates a network-wide route and necessary forwarding rules for the tunnel.
  7. Configure your firewall rules.

gcloud


For all steps, replace [PROJECT_ID] with the your project's system-generated ID.

  1. Create a custom network and subnets for your network.

  2. Create a VPN gateway in the desired region. Normally, this is the region that contains the instances you want to reach. This step creates an unconfigured VPN gateway named vpn1 in your GCP network.

    gcloud compute target-vpn-gateways create vpn1 \
      --network [NETWORK] \
      --region us-central1
    

    NAME NETWORK   REGION
    vpn1 [NETWORK] us-central1

  3. Reserve a static IP address in the GCP network and region where you created the VPN gateway. Make a note of the created address for use in future steps.

    gcloud compute --project [PROJECT_ID] addresses create \
        --region us-central1 vpn-static-ip
    

    NAME          REGION      ADDRESS         STATUS
    vpn-static-ip us-central1 [VPN_STATIC_IP_ADDRESS]      RESERVED

    vpn-static-ip ~> [VPN_STATIC_IP_ADDRESS]

  4. Create a forwarding rule that forwards ESP traffic toward the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step generates a forwarding rule named fr-esp.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-esp \
        --region us-central1 \
        --ip-protocol ESP \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME   REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-esp us-central1 [VPN_STATIC_IP_ADDRESS]      ESP         us-central1/targetVpnGateways/vpn1

  5. Create a forwarding rule that forwards UDP:500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step creates a forwarding rule named fr-udp500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp500 \
       --region us-central1 \
       --ip-protocol UDP \
       --ports 500 \
       --address [VPN_STATIC_IP_ADDRESS] \
       --target-vpn-gateway vpn1
    

    NAME      REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  6. Create a forwarding rule that forwards UDP:4500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] reserved earlier. This step creates a forwarding rule named fr-udp4500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp4500 \
        --region us-central1 \
        --ip-protocol UDP \
        --ports 4500 \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME       REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp4500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  7. Use the --local-traffic-selector field and a comma-separated list of IP prefixes to specify all the GCP subnets you wish to include in the tunnel.

    gcloud compute --project [PROJECT_ID] vpn-tunnels create tunnel1 \
        --peer-address [CUST_GW_EXT_IP] \
        --region us-central1 \
        --ike-version 2 \
        --shared-secret [SHARED_SECRET] \
        --local-traffic-selector 10.128.0.0/16,10.130.0.0/16 \
        --target-vpn-gateway vpn1
    
  8. Create routes to forward traffic to the tunnel. First, add a common tag to all your instances in both subnets. You can add the tag when you create an instance or after you create an instance. You can also add the tags to instance templates.

    gcloud compute instances add-tags example-instance-subnet-a \
        --tags tag-subnet-a
    
    gcloud compute instances add-tags example-instance-subnet-b \
        --tags tag-subnet-b
    
  9. Use the tags you just created to add a static route to all of the instances in the subnetworks. This route has a destination peer prefix of [CIDR_DEST_RANGE] and a next hop of tunnel1.

    gcloud compute --project [PROJECT_ID] routes create route1 \
        --network [NETWORK] \
        --next-hop-vpn-tunnel tunnel1 \
        --next-hop-vpn-tunnel-region us-central1 \
        --destination-range [CIDR_DEST_RANGE] \
        --tags tag-subnet-a,tag-subnet-b
    
  10. Configure your firewall rules.

Creating a gateway and a tunnel for a legacy network

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Click Create VPN connection.
  3. Populate the following fields for the gateway:
    • Name — The name of the VPN gateway. This name is displayed in the console and used by the gcloud command-line tool to reference the gateway.
    • Network — The GCP network containing the instances the VPN gateway will serve.
    • Region — The region where you want to locate the VPN gateway. Normally, this is the region that contains the instances you wish to reach. Example: us-central1
    • IP address — Select a pre-existing static external IP address. If you don't have a static external IP address, you can create one by clicking New static IP address in the pull-down menu.
  4. Populate fields for at least one tunnel:
    • Peer IP address — Public IP address of the peer gateway. This is the public IP address of the other VPN gateway, not the one you are currently configuring.
    • IKE version — IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.
    • Shared secret — Used in establishing encryption for that tunnel. You must enter the same shared secret into both VPN gateways. If the VPN gateway device on the other side of the tunnel doesn't generate one automatically, you may make one up.
    • Remote network IP range — The range, or ranges, of the peer network, which is the network on the other side of the tunnel from the Cloud VPN gateway you are currently configuring.
    • Local IP ranges — Specifies which IP ranges will be routed through the tunnel. This value cannot be changed once the tunnel is created because it is used in the IKE handshake. For legacy networks, this field should be left blank so that the entire network can use the VPN tunnel. You can specify subnetworks within the network, but since IP allocations in a legacy network are not predictable, such a configuration can be difficult to manage.
  5. Click Add tunnel only if you want to add more tunnels.
  6. Click Create to create the Gateway and initiate all tunnels, though tunnels will not connect until you've completed the additional steps below.
    This step automatically creates a network-wide route and necessary forwarding rules for the tunnel.
  7. Configure your firewall rules.

gcloud


For all steps, replace [PROJECT_ID] with the your project's system-generated ID and [NETWORK] with the name of your legacy network.

  1. Create a VPN gateway in the desired region. Normally, this is the region that contains the instances you want to reach. This step creates an unconfigured VPN gateway named vpn1 in your GCP network.

    gcloud compute target-vpn-gateways create vpn1 \
      --network [NETWORK] \
      --region us-central1
    

    NAME NETWORK   REGION
    vpn1 [NETWORK] us-central1

  2. Reserve a static IP address in the GCP network and region where you created the VPN gateway. Make a note of the created address for use in future steps.

    gcloud compute --project [PROJECT_ID] addresses create \
        --region us-central1 vpn-static-ip
    

    NAME          REGION      ADDRESS         STATUS
    vpn-static-ip us-central1 [VPN_STATIC_IP_ADDRESS]      RESERVED

    vpn-static-ip ~> [VPN_STATIC_IP_ADDRESS]

  3. Create a forwarding rule that forwards ESP traffic toward the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step generates a forwarding rule named fr-esp.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-esp \
        --region us-central1 \
        --ip-protocol ESP \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME   REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-esp us-central1 [VPN_STATIC_IP_ADDRESS]      ESP         us-central1/targetVpnGateways/vpn1

  4. Create a forwarding rule that forwards UDP:500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] you reserved earlier. This step creates a forwarding rule named fr-udp500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp500 \
       --region us-central1 \
       --ip-protocol UDP \
       --ports 500 \
       --address [VPN_STATIC_IP_ADDRESS] \
       --target-vpn-gateway vpn1
    

    NAME      REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  5. Create a forwarding rule that forwards UDP:4500 traffic to the Cloud VPN gateway. Use the static IP address [VPN_STATIC_IP_ADDRESS] reserved earlier. This step creates a forwarding rule named fr-udp4500.

    gcloud compute --project [PROJECT_ID] forwarding-rules create fr-udp4500 \
        --region us-central1 \
        --ip-protocol UDP \
        --ports 4500 \
        --address [VPN_STATIC_IP_ADDRESS] \
        --target-vpn-gateway vpn1
    

    NAME       REGION      IP_ADDRESS      IP_PROTOCOL TARGET
    fr-udp4500 us-central1 [VPN_STATIC_IP_ADDRESS]      UDP         us-central1/targetVpnGateways/vpn1

  6. Create a VPN tunnel on the Cloud VPN Gateway that points toward the external IP address [CUST_GW_EXT_IP] of your peer VPN gateway. You also need to supply the shared secret. The default, and preferred, IKE version is 2. If you need to set it to 1, use --ike_version 1. The following example sets IKE version to 2. Once this command is executed, resources are allocated for this VPN tunnel, but it is not yet passing traffic.

    gcloud compute --project [PROJECT_ID] vpn-tunnels create tunnel1 \
        --peer-address [CUST_GW_EXT_IP] \
        --region us-central1 \
        --ike-version 2 \
        --shared-secret [SHARED_SECRET] \
        --target-vpn-gateway vpn1
    

    NAME    REGION      GATEWAY PEER_ADDRESS
    tunnel1 us-central1 vpn1    [CUST_GW_EXT_IP]

  7. Use a static route to forward traffic to the destination range of IP addresses ([CIDR_DEST_RANGE]) in your local network. You can repeat this command to add multiple ranges to the VPN tunnel. You must create the route in the same region as the tunnel.

    gcloud compute --project [PROJECT_ID] routes create route1 \
        --network [NETWORK] \
        --next-hop-vpn-tunnel tunnel1 \
        --next-hop-vpn-tunnel-region us-central1 \
        --destination-range [CIDR_DEST_RANGE]
    

    NAME   NETWORK   DEST_RANGE       NEXT_HOP PRIORITY
    route1 [NETWORK] [CIDR_DEST_RANGE]         1000

  8. Configure your firewall rules.

Configuring firewall rules

Configure the firewall on the GCP network to allow traffic from your peer network to your instances. This rule allows all TCP, UDP, and ICMP traffic from the peer network.

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. View the VPN tunnels for that project.
  3. Click Configure in the Firewall Rules column of the new tunnel.
    This takes you to a configuration page for the network containing the tunnel.
  4. Click New Firewall Rule. Add a rule for TCP, UDP, and ICMP:
    • Name: allow-tcp-udp-icmp
    • Source filter: IP ranges.
    • Source IP ranges: Remote Network IP Range value from when you created the tunnel. If you have more than one peer network range, enter each one. Press the Tab key between entries.
    • Allowed protocols or ports: tcp; udp; icmp
    • Target tags: Any valid tag or tags.
  5. Click Create.
  6. Create other firewall rules if necessary.

gcloud


gcloud  compute --project [PROJECT_ID] firewall-rules create vpnrule1 \
    --network [NETWORK] \
    --allow tcp,udp,icmp \
    --source-ranges [PEER_SOURCE_RANGE]

If you have more than one peer network range, provide a comma-separated list in the source-ranges field (--source-ranges 10.10.4.0/24,10.10.6.0/24).

See the gcloud firewall rules documentation for more information about the firewall-rules command.

Setting up the Peer VPN gateway

Configure the Peer VPN gateway and tunnel with the following parameters.

For IKEv1 and IKEv2:

Setting Value
IPsec Mode ESP+Auth Tunnel mode (Site-to-Site)
Auth Protocol psk
Shared Secret Also known as an IKE pre-shared key. Choose a strong password. The shared secret is very sensitive as it allows access into your network.
Start `auto` (peer device should automatically restart the connection if it drops)
PFS (Perfect Forward Secrecy) on
DPD (Dead Peer Detection) Recommended: `Aggressive`. DPD detects when the Cloud VPN restarts and route traffic using alternate tunnels.
INITIAL_CONTACT (sometimes called uniqueids) Recommended: `on` (sometimes called ‘restart’). The purpose is to detect restarts faster so that perceived downtime is reduced.
TSi (Traffic Selector - Initiator) Subnet networks: the ranges specified by the --local-traffic-selector flag. If --local-traffic-selector was not specified because the VPN is in an auto subnet network and is announcing only the gateway's subnetwork, then that subnetwork range is used.
Legacy networks: the range of the network.
TSr (Traffic Selector - Responder) IKEv2: The destination ranges of all of the routes that have --next-hop-vpn-tunnel set to this tunnel.
IKEv1: Arbitrarily, the destination range of one of the routes that has --next-hop-vpn-tunnel set to this tunnel.
MTU The MTU of the peer VPN device must be set to 1460 or lower. ESP packets leaving the device must not exceed 1460 bytes. You must enable prefragmentation on your device, which means that packets must be fragmented first, then encapsulated.

Additional parameters for IKEv1 only:

Setting Value
IKE/ISAKMP aes128-sha1-modp1024
ESP aes128-sha1
PFS Algorithm Group 2 (MODP_1024)
NAT-T off (Cloud VPN does not support NAT-T)

Checking the status of your tunnel

Verify that your tunnel is up.

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Look for a check mark next to the Peer IP address field. If one is there, your gateways have negotiated a tunnel. If no mark appears after a few minutes, see Troubleshooting.

For advanced monitoring and alerting related to your VPN tunnels, use Stackdriver Monitoring.

gcloud


Confirm that the tunnel is up.

    gcloud compute --project [PROJECT_ID] vpn-tunnels describe tunnel1 \
           --region us-central1
<pre>creationTimestamp: '2014-11-26T04:38:28.260-08:00'
description: ''
detailedStatus: 'Tunnel is up and running..  More info: <link to more info>'
id: 'ID'
ikeVersion: 2
kind: compute#vpnTunnel
name: tunnel1
peerIp: [CUST_GW_EXT_IP]
region: us-central1
selfLink: [TUNNEL_RESOURCE_URL]
sharedSecret: [SHARED_SECRET]
sharedSecretHash: AFWI5mBld5swmCciGVEU1IO6lfJs
status: ESTABLISHED
targetVpnGateway: [RESOURCE_IP_ADDRESS]</pre>

The Status field shows one of the following results.

Status field value Notes
WAITING_FOR_FULL_CONFIG User-side configuration is incomplete. A forwarding rule, route, or something else is missing.
ESTABLISHED The VPN is up and working.
FIRST_HANDSHAKE The gateway is attempting to connect to the peer.
NO_INCOMING_PACKETS The gateway is not receiving any packets from the peer. Possibly the IP is wrong, or perhaps the other gateway is down or misconfigured.
NEGOTIATION_FAILURE The two gateways failed to establish a tunnel, but it isn't clear why. Recommend checking logs.

List your forwarding rules to confirm that they are correct.

    gcloud compute --project [PROJECT_ID] forwarding-rules list --region us-central1
<pre>NAME       REGION      IP_ADDRESS      IP_PROTOCOL TARGET
forward1   us-central1 173.255.115.137 TCP         us-central1/targetPools/pool1
fr-esp     us-central1 130.211.116.215 ESP         us-central1/targetVpnGateways/vpn1
fr-udp4500 us-central1 130.211.116.215 UDP         us-central1/targetVpnGateways/vpn1
fr-udp500  us-central1 130.211.116.215 UDP         us-central1/targetVpnGateways/vpn1</pre>

List your routes to confirm that they are correct.

    gcloud compute --project [PROJECT_ID] routes list
<pre>NAME                           NETWORK   DEST_RANGE       NEXT_HOP                 PRIORITY
default-route-044ea64475ed089f default   0.0.0.0/0        default-internet-gateway 1000
default-route-32610888d82a7e33 default   10.240.0.0/16                             1000
default-route-5f2161531059c062 [NETWORK] 0.0.0.0/0        default-internet-gateway 1000
default-route-672665719a1ec4c5 [NETWORK] 10.120.0.0/16                             1000
route1                         [NETWORK] 192.168.100.0/24                          1000</pre>

What's next

  • See the Overview for an introduction to Cloud VPN.
  • See Managing VPNs for instructions for adding more tunnels, and deleting tunnels and gateways.
  • See Troubleshooting if you run into problems.

Send feedback about...

Compute Engine Documentation