Creating a Classic VPN using static routing

This page describes how to use static routing to create a Classic VPN gateway and one tunnel. This tunnel is either a policy-based or route-based tunnel.

With route-based VPN, you specify only the remote traffic selector. If you need to specify a local traffic selector, create a Cloud VPN tunnel that uses policy-based routing instead.

For more information about Cloud VPN, see the following resources:

For best practices to consider before setting up Cloud VPN, see Best practices for Cloud VPN.
For more information about Cloud VPN, see the Cloud VPN overview.
For definitions of terms used on this page, see Key terms.

Routing options

When you use the Google Cloud Console to create a policy-based tunnel, Classic VPN performs the following tasks:

Sets the tunnel's local traffic selector to the IP range that you specify.
Sets the tunnel's remote traffic selector to the IP ranges that you specify in the Remote network IP ranges field.
For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR, and whose next hop is the tunnel.

When you use the Cloud Console to create a route-based tunnel, Classic VPN performs the following tasks:

Sets the tunnel's local and remote traffic selectors to any IP address (0.0.0.0/0).
For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR and whose next hop is the tunnel.

When you use the gcloud command-line tool to create either a policy-based tunnel or a route-based tunnel, traffic selectors for the tunnel are defined in the same way. However, because the creation of custom static routes is done with separate commands, you have more control over those routes.

The number of CIDRs that you can specify in a traffic selector depends on the IKE version.

For important background information, see the following:

Before you begin

Set up the following items in Google Cloud to make it easier to configure Cloud VPN:

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Install and initialize the Cloud SDK.

In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Install and initialize the Cloud SDK.

If you are using the gcloud command-line tool, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.
```
    gcloud config set project PROJECT_ID
    
```

You can also view a project ID that has already been set by running the following command:
```
    gcloud config list --format='text(core.project)'
    
```

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.create
compute.targetVpnGateways.delete
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.use
compute.targetVpnGateways.setLabels

Roles

roles/compute.networkAdmin

Creating a custom VPC network and subnet

Before creating a Classic VPN gateway and tunnel, create a Virtual Private Cloud (VPC) network and at least one subnet in the region where the Classic VPN gateway resides:

To create a custom mode VPC network (recommended), see Creating a custom mode VPC network.
To create subnets, see Working with subnets.

Creating a gateway and tunnel

The VPN setup wizard is the only console option for creating a Classic VPN gateway. The wizard includes all required configuration steps for creating a Classic VPN gateway, tunnels, BGP sessions, and an external VPN gateway resource. However, you can complete certain steps later, such as configuring BGP sessions.

Console

Configure the gateway

In the Google Cloud Console, go to the VPN page.

Go to VPN
If you are creating a gateway for the first time, click Create VPN connection.
Select the VPN setup wizard.
Select the Classic VPN option button.
Click Continue.
On the Create a VPN connection page, specify the following gateway settings:
- Name: The name of the VPN gateway. The name cannot be changed later.
- Description: Optionally, add a description.
- Network: Specify an existing VPC network in which to create the VPN gateway and tunnel.
- Region: Cloud VPN gateways and tunnels are regional objects. Choose a Google Cloud region where the gateway will be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant Google Cloud resources.
- IP address: Create or choose an existing regional external IP address.

Configure tunnels

For the new tunnel, in the Tunnels section, specify the following settings:
- Name: The name of the VPN tunnel. The name cannot be changed later.
- Description: Optionally, type a description.
- Remote peer IP address: Specify the external IP address of the peer VPN gateway.
- IKE version: Choose the appropriate IKE version supported by the peer VPN gateway. IKEv2 is preferred if it's supported by the peer device.
  Known issue: When configuring VPN tunnels to AWS, use the IKEv2 encryption protocol and select fewer transform sets on the AWS side; otherwise, the Cloud VPN tunnel can fail to rekey. For example, select a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.
  
  This rekeying issue is caused by a large Security Association (SA) payload size for the default set of AWS transform sets. This large payload size results in IP fragmentation of IKE packets on the AWS side, which Cloud VPN does not support.
- IKE pre-shared key: Provide a pre-shared key (shared secret) used for authentication. The pre-shared key for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. To generate a cryptographically strong pre-shared key, follow these directions.
For policy-based tunnels
1. Under Routing options, select Policy-based.
2. Under Remote network IP ranges, provide a space-separated list of the IP ranges used by the peer network. This is the remote traffic selector, or the right side from the perspective of Cloud VPN.
3. Under Local IP ranges, select one of the following methods:
  - To choose an existing local IP range, use the Local subnetworks menu.
  - To enter a list of space-separated IP ranges used in your VPC network, use the Local IP ranges field. For important considerations, see Policy-based tunnels and traffic selectors.
For route-based tunnels
1. Under Routing options, select Route-based.
2. Under Remote network IP ranges, provide a space-separated list of the IP ranges used by the peer network. These ranges are used to create custom static routes whose next hop is this VPN tunnel.
If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can also add more tunnels later.
Click Create.

gcloud

To create a Cloud VPN gateway, complete the following command sequence. In the commands, replace the following:

PROJECT_ID: the ID of your project
NETWORK: the name of your Google Cloud network
REGION: the Google Cloud region where you create the gateway and tunnel
GW_NAME: the name of the gateway
GW_IP_NAME: a name for the external IP address used by the gateway
Optional: The --target-vpn-gateway-region is the region of the Classic VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.

Configure the gateway resources

Create the target VPN gateway object:

gcloud compute target-vpn-gateways create GW_NAME \
   --network=NETWORK \
   --region=REGION \
   --project=PROJECT_ID

Reserve a regional external (static) IP address:

gcloud compute addresses create GW_IP_NAME \
   --region=REGION \
   --project=PROJECT_ID

Note the IP address (so you can use it when you configure your peer VPN gateway):

gcloud compute addresses describe GW_IP_NAME \
   --region=REGION \
   --project=PROJECT_ID \
   --format='flattened(address)'

Create three forwarding rules; these rules instruct Google Cloud to send ESP (IPsec), UDP 500, and UDP 4500 traffic to the gateway:

gcloud compute forwarding-rules create fr-GW_NAME-esp \
   --load-balancing-scheme=EXTERNAL \
   --network-tier=PREMIUM \
   --ip-protocol=ESP \
   --address=GW_IP_NAME \
   --target-vpn-gateway=GW_NAME \
   --region=REGION \
   --project=PROJECT_ID

gcloud compute forwarding-rules create fr-GW_NAME-udp500 \
   --load-balancing-scheme=EXTERNAL \
   --network-tier=PREMIUM \
   --ip-protocol=UDP \
   --ports=500 \
   --address=GW_IP_NAME \
   --target-vpn-gateway=GW_NAME \
   --region=REGION \
   --project=PROJECT_ID

gcloud compute forwarding-rules create fr-GW_NAME-udp4500 \
   --load-balancing-scheme=EXTERNAL \
   --network-tier=PREMIUM \
   --ip-protocol=UDP \
   --ports=4500 \
   --address=GW_IP_NAME \
   --target-vpn-gateway=GW_NAME \
   --region=REGION \
   --project=PROJECT_ID

Create the Cloud VPN tunnel

In the commands, replace the following:
- TUNNEL_NAME: a name for the tunnel
- ON_PREM_IP: the external IP address of the peer VPN gateway
- IKE_VERS: 1 for IKEv1 or 2 for IKEv2
  Known issue: When configuring VPN tunnels to AWS, use the IKEv2 encryption protocol and select fewer transform sets on the AWS side; otherwise, the Cloud VPN tunnel can fail to rekey. For example, select a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.
  
  This rekeying issue is caused by a large SA payload size for the default set of AWS transform sets. This large payload size results in IP fragmentation of IKE packets on the AWS side, which Cloud VPN does not support.
- SHARED_SECRET: your pre-shared key (shared secret). The pre-shared key for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. To generate a cryptographically strong pre-shared key, follow these directions.
For policy-based VPN:
- LOCAL_IP_RANGES: a comma-delimited list of the Google Cloud IP ranges. For example, you can supply the CIDR block for each subnet in a VPC network. This is the left side from the perspective of Cloud VPN.
- REMOTE_IP_RANGES: a comma-delimited list of the peer network IP ranges. This is the right side from the perspective of Cloud VPN.
To configure a policy-based VPN tunnel, run the following command:
```
gcloud compute vpn-tunnels create TUNNEL_NAME \
    --peer-address=ON_PREM_IP \
    --ike-version=IKE_VERS \
    --shared-secret=SHARED_SECRET \
    --local-traffic-selector=LOCAL_IP_RANGES \
    --remote-traffic-selector=REMOTE_IP_RANGES \
    --target-vpn-gateway=GW_NAME \
    --region=REGION \
    --project=PROJECT_ID
```
For route-based VPN, both the local and remote traffic selectors are 0.0.0.0/0 as defined in routing options and traffic selectors.

To configure a route-based VPN tunnel, run the following command:
```
gcloud compute vpn-tunnels create TUNNEL_NAME \
    --peer-address=ON_PREM_IP \
    --ike-version=IKE_VERS \
    --shared-secret=SHARED_SECRET \
    --local-traffic-selector=0.0.0.0/0 \
    --remote-traffic-selector=0.0.0.0/0 \
    --target-vpn-gateway=GW_NAME \
    --region=REGION \
    --project=PROJECT_ID
```
Create a static route for each remote IP range that you specified in the --remote-traffic-selector option in the previous step. Repeat this command for each remote IP range. Replace ROUTE_NAME with a unique name for the route, and replace REMOTE_IP_RANGE with the appropriate remote IP range.
```
gcloud compute routes create ROUTE_NAME \
    --destination-range=REMOTE_IP_RANGE \
    --next-hop-vpn-tunnel=TUNNEL_NAME \
    --network=NETWORK \
    --next-hop-vpn-tunnel-region=REGION \
    --project=PROJECT_ID
```
Note: The gcloud command to create a route uses the default priority of 1000. If you need to create a higher priority route, use the --priority flag with a lower number when you create the route. You cannot change the priority of a route after the route has been created; however, you can delete and replace the custom static route without needing to re-create the VPN tunnel. For details about how routes work in your VPC network, see Routes overview and Order of routes.

Completing the configuration

Before you can use a new Cloud VPN gateway and its associated VPN tunnel, complete the following steps:

Set up the peer VPN gateway and configure the corresponding tunnel there. For instructions, see the following:
- For specific configuration guidance for certain peer VPN devices, see Using third-party VPNs with Cloud VPN.
- For general configuration parameters, see Configuring the peer VPN gateway.
Configure firewall rules in Google Cloud and your peer network as required.
Check the status of your VPN tunnel and forwarding rules.
View your VPN routes by going to the project routing table and filtering for Next hop type:VPN tunnel:

Go to Routes

Applying an organization policy constraint that restricts peer VPN gateway IP addresses

You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allowlist or a denylist of these peer IP addresses, which goes into effect for Cloud VPN tunnels that you create after you apply the constraint. For details, see Restricting peer IP addresses through a Cloud VPN tunnel.

To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.

Required permissions

To set a peer IP address constraint at the organization or project level, you must first be granted the Organization Policy Administrator role (roles/orgpolicy.policyAdmin) for your organization.

Constraining connectivity from specific peer IP addresses

To only allow specific peer IP addresses through a Cloud VPN tunnel, perform the following steps:

Find your organization ID by running the following command:

gcloud organizations list

The command output should look like the following example:

      DISPLAY NAME             ID
      example-organization     29252605212

Create a JSON file that defines your policy, as in the following example:

     {
       "constraint": "constraints/compute.restrictVpnPeersIPs",
       "listPolicy": {
         "allowedValues": [
           "100.1.1.1",
         ],
       }
     }

Set the organization policy by using the Resource Manager gcloud command set-policy, passing in the JSON file, and using the ORGANIZATION_ID that you found in the previous step.

Constraining connectivity from any peer IP addresses

To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint:

Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.

Create a JSON file like the following example:

    {
      "constraint": "constraints/compute.restrictVpnPeersIPs",
      "listPolicy": {
        "allValues": "DENY"
      }
    }

Pass in the JSON file by running the same command that you would use for restricting specific peer IP addresses.

What's next

To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.