Creating a Classic VPN using static routing

This page describes how to create a Classic VPN gateway and one tunnel using static routing. This tunnel is either a policy based or route based tunnel.

With route based VPN, you specify only the remote traffic selector. If you need to specify a local traffic selector, create a Cloud VPN tunnel that uses policy based routing instead.

For best practices to consider before setting up Cloud VPN, see Best practices for Cloud VPN.

Routing option differences

When you create a policy based tunnel using the Google Cloud Console, Classic VPN performs all of the following tasks:

Sets the tunnel's local traffic selector to the IP range that you specify
Sets the tunnel's remote traffic selector to the IP ranges that you specify in Remote network IP ranges
For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR, and whose next hop is the tunnel.

When you create a route based tunnel using the Cloud Console, Classic VPN performs both of the following tasks:

Sets the tunnel's local and remote traffic selectors to any IP address (0.0.0.0/0)
For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR, and whose next hop is the tunnel.

When you create either a policy or route based tunnel using the gcloud command-line tool, traffic selectors for the tunnel are defined in the same way. However, because the creation of custom static routes is done with separate commands, you have more control over those routes. For more information, see Networks and tunnel routing.

Specifying multiple CIDRs per traffic selector

The number of CIDRs that you can specify in a traffic selector depends on the IKE version. Carefully review Routing options and traffic selectors and Multiple CIDRs per traffic selector for additional, important background information.

Before you begin

Setting up the following items in Google Cloud makes it easier to configure Cloud VPN:

Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to the project selector page
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Install and initialize the Cloud SDK.

If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.

  gcloud config set project [PROJECT_ID]

You can also view a project ID that has already been set:

  gcloud config list --format='text(core.project)'

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.create
compute.targetVpnGateways.delete
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.use
compute.targetVpnGateways.setLabels

Roles

roles/compute.networkAdmin

Creating a custom Virtual Private Cloud network and subnet

Before creating an Classic VPN gateway and tunnel, you must create a Virtual Private Cloud network and at least one subnet in the region where the Classic VPN gateway will reside.

To create a custom mode (recommended) VPC network, see Creating a custom mode network.
To create subnets, see Working with subnets.

Creating a gateway and tunnel

The VPN setup wizard is the only console option for creating a Classic VPN gateway. The wizard includes all required configuration steps for creating a Classic VPN gateway, tunnels, BGP sessions, and an external VPN gateway resource. However, you can complete certain steps later. For example, configuring BGP sessions.

The Create VPN gateway button only supports creating HA VPN gateways.

VPN wizard

Configure the Gateway

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
1. If you are creating a gateway for the first time, select the Create VPN connection button.
2. Select the VPN setup wizard.
Select the radio button for Classic VPN.
Click Continue.
On the Create a VPN connection page, specify the following gateway settings:
- Name — The name of the VPN gateway. The name cannot be changed later.
- Description — Optionally, add a description.
- Network — Specify an existing VPC network in which to create the VPN gateway and tunnel.
- Region — Cloud VPN gateways and tunnels are regional objects. Choose a Google Cloud region where the gateway will be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant Google Cloud resources.
- IP address — Create or choose an existing regional external IP address.

Configure Tunnels

Specify the following settings in the Tunnels section for the new tunnel:
- Name — The name of the VPN tunnel. The name cannot be changed later.
- Description — Optionally, type a description.
- Remote peer IP address — Specify the external IP address of the peer VPN gateway.
- IKE version — Choose the appropriate IKE version supported by the peer VPN gateway. IKEv2 is preferred if it's supported by the peer device.
  Known issue: When configuring VPN tunnels to AWS, use the IKEv2 encryption protocol and select fewer transform sets on the AWS side, otherwise the Cloud VPN tunnel can fail to rekey. For example, select a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.
  
  This rekeying issue is caused by a large SA payload size for the default set of AWS transform sets. This large payload size results in IP fragmentation of IKE packets on the AWS side, which Cloud VPN does not support.
  Shared secret — Provide a pre-shared key used for authentication. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
For Policy based tunnels
- Under Routing options, select Policy-based.
- Under Remote network IP ranges, provide a space-separated list of the IP ranges used by the peer network. This is the remote traffic selector: the "right side" from the perspective of Cloud VPN.
- Under Local IP ranges, select one of the following methods:
  - Use the Local subnetworks menu to choose an existing local IP range, or
  - Use the Local IP ranges field to enter a list of space-separated IP ranges used in your VPC network. Refer to traffic selectors for important considerations.
For Route based tunnels
- Routing options — Select Route-based.
- Remote network IP ranges — Provide a space-separated list of the IP ranges used by the peer network. These ranges are used to create custom static routes whose next hop is this VPN tunnel.
If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can also add more tunnels later.
Click Create.

gcloud

In the following commands, replace:

PROJECT_ID with the ID of your project.
NETWORK with the name of your Google Cloud network.
REGION with the Google Cloud region where you need to create the gateway and tunnel.
(Optional) The --target-vpn-gateway-region is the region of the Classic VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
GW_NAME with the name of the gateway.
GW_IP_NAME with a name for the external IP used by the gateway.

Complete the following command sequence to create a Google Cloud gateway:

Create the resources for the Cloud VPN gateway:

Create the target VPN gateway object.

gcloud compute target-vpn-gateways create GW_NAME \
    --network NETWORK \
    --region REGION \
    --project PROJECT_ID

Reserve a regional external (static) IP address:

gcloud compute addresses create GW_IP_NAME \
    --region REGION \
    --project PROJECT_ID

Note the IP address (so you can use it when you configure your peer VPN gateway):

gcloud compute addresses describe GW_IP_NAME \
    --region REGION \
    --project PROJECT_ID \
    --format='flattened(address)'

Create three forwarding rules. These rules instruct Google Cloud to send ESP (IPsec), UDP 500, and UDP 4500 traffic to the gateway.

gcloud compute forwarding-rules create fr-GW_NAME-esp \
    --ip-protocol ESP \
    --address GW_IP_NAME \
    --target-vpn-gateway GW_NAME \
    --region REGION \
    --project PROJECT_ID

gcloud compute forwarding-rules create fr-GW_NAME-udp500 \
    --ip-protocol UDP \
    --ports 500 \
    --address GW_IP_NAME \
    --target-vpn-gateway GW_NAME \
    --region REGION \
    --project PROJECT_ID

gcloud compute forwarding-rules create fr-GW_NAME-udp4500 \
    --ip-protocol UDP \
    --ports 4500 \
    --address GW_IP_NAME \
    --target-vpn-gateway GW_NAME \
    --region REGION \
    --project PROJECT_ID

Create the Cloud VPN tunnel with the following details:
- Replace TUNNEL_NAME with a name for the tunnel.
- Replace ON_PREM_IP with the external IP address of the peer VPN gateway.
- Replace IKE_VERS with 1 for IKEv1 or 2 for IKEv2.
  Known issue: When configuring VPN tunnels to AWS, use the IKEv2 encryption protocol and select fewer transform sets on the AWS side, otherwise the Cloud VPN tunnel can fail to rekey. For example, select a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.
  
  This rekeying issue is caused by a large SA payload size for the default set of AWS transform sets. This large payload size results in IP fragmentation of IKE packets on the AWS side, which Cloud VPN does not support.
- Replace SHARED_SECRET with your shared secret. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
For Policy based VPN:
- Replace LOCAL_IP_RANGES with a comma-delimited list of the Google Cloud IP ranges. For example, you can supply the CIDR block for each subnet in a VPC network. This is the "left side" from the perspective of Cloud VPN.
- Replace REMOTE_IP_RANGES with a comma-delimited list of the peer network IP ranges. This is the "right side" from the perspective of Cloud VPN.
Policy based VPN command:
```
gcloud compute vpn-tunnels create TUNNEL_NAME \
    --peer-address ON_PREM_IP \
    --ike-version IKE_VERS \
    --shared-secret SHARED_SECRET \
    --local-traffic-selector=LOCAL_IP_RANGES \
    --remote-traffic-selector=REMOTE_IP_RANGES \
    --target-vpn-gateway GW_NAME \
    --region REGION \
    --project PROJECT_ID
```
For Route based VPN:
- For Route based VPN, both the local and remote traffic selectors are 0.0.0.0/0 as defined in routing options and traffic selectors.
```
gcloud compute vpn-tunnels create TUNNEL_NAME \
    --peer-address ON_PREM_IP \
    --ike-version IKE_VERS \
    --shared-secret SHARED_SECRET \
    --local-traffic-selector=0.0.0.0/0 \
    --remote-traffic-selector=0.0.0.0/0 \
    --target-vpn-gateway GW_NAME \
    --region REGION \
    --project PROJECT_ID
```
Create a static route for each remote IP range you specified in the --remote-traffic-selector option in the previous step. Repeat this command for each remote IP range, replacing ROUTE_NAME with a unique name for the route and [REMOTE_IP_RANGE] with the appropriate remote IP range.
```
gcloud compute routes create ROUTE_NAME \
    --destination-range REMOTE_IP_RANGE \
    --next-hop-vpn-tunnel TUNNEL_NAME \
    --network NETWORK \
    --next-hop-vpn-tunnel-region REGION \
    --project PROJECT_ID
```
Note: The gcloud command to create a route uses the default priority of 1000. If you need to create a higher priority route, use the --priority flag with a lower number when you create the route. You cannot change the priority of a route after the route has been created; however, you can delete and replace the custom static route without needing to re-create the VPN tunnel. Refer to the Routes Overview and Cloud VPN Order of Routes pages for details about how routes work in your VPC network.

Follow-up steps

You must complete the following steps before you can use a new Cloud VPN gateway and tunnel:

Set up the peer VPN gateway and configure the corresponding tunnel there. Refer to these pages:
- For specific configuration guidance for certain VPN devices, refer to the VPN Interoperability Guides.
- For general configuration parameters, refer to Configuring the Peer VPN Gateway.
Configure firewall rules in Google Cloud and your peer network as required. Refer to the Firewall Rules page for suggestions.
Check the status of your tunnel, including forwarding rules.
You can view your VPN routes by visiting the project routing table
and filtering for 'Next hop type:VPN tunnel'.

Applying a VPN organization policy

Applying an organization policy constraint that restricts the IP addresses of peer VPN gateways

You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allow list or a deny list of these peer IP addresses, which goes into effect for Cloud VPN tunnels created after you apply the constraint. For details, see the Cloud VPN overview.

Required permissions

To set a peer IP constraint at the organization or project level, you must first be granted the Organization Policy Administrator (orgpolicy.policyAdmin) role for your organization.

How to set constraints

To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.

Constraining connectivity from specific peer IP addresses through a Cloud VPN tunnel

To only allow specific peer IP addresses, perform the following steps:

Find your organization ID by entering the following command:
```
gcloud organizations list
```
The command output should look like the following example.
```
      DISPLAY NAME             ID
      example-organization     29252605212
    
```

Create a JSON file that defines your policy. You must provide a policy as a JSON file, as in the following example:

     {
       "constraint": "constraints/compute.restrictVpnPeersIPs",
       "listPolicy": {
         "allowedValues": [
           "100.1.1.1",
         ],
       }
     }

Use the gcloud Resource Manager set-policy command to set the organization policy, passing in the JSON file and using the `ORGANIZATION_ID` that you found in the previous step.

Constraining connectivity from any peer IPs through a Cloud VPN tunnel

To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint.

Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.

Create a JSON file like the following example.

    {
      "constraint": "constraints/compute.restrictVpnPeersIPs",
      "listPolicy": {
        "allValues": "DENY"
      }
    }

Pass in the JSON file by entering the same command that you would use for restricting specific peer IP addresses.