Creating a Route Based VPN

This page describes how to use Cloud VPN to create a simple route based VPN. Route based VPN tunnels are similar to tunnels that use policy based routing, except that you specify only the remote traffic selector; you do not specify a local traffic selector.

If you need to specify a local traffic selector, create a Cloud VPN tunnel that uses policy based routing instead.

Review the following for background information before creating a route based VPN:

  • About route based VPNs and traffic selectors
  • By definition, route based VPNs use 0.0.0.0/0 for both their local and remote traffic selectors, regardless of IKE version. When you create a VPN tunnel in the GCP Console, GCP automatically creates a route based on the IP addresses you specify in the remote IP ranges. When you create a VPN tunnel using gcloud or the API, you must create routes separately. The directions on this page explain both methods for creating a route based VPN tunnel.

Required permissions

Task Required Role
Create VPN gateways, tunnels, and VPC network routes Project owner or editor or Network Admin or custom role with appropriate permissions from the Network Admin role
Create and modify firewall rules Project owner or editor, Security Admin, or custom role with compute.firewalls.* permissions

Creating a gateway and tunnel

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Click Create.
  3. On the Create a VPN Connection page, supply the following information in the Google Compute Engine VPN gateway section:
    • Name — The name of the VPN gateway. The name cannot be changed later.
    • Description — Optionally, type a description.
    • Network — Choose the GCP network in which the VPN gateway and tunnel should be created. You can use a VPC network or a legacy network.
    • Region — Cloud VPN gateways and tunnels are regional objects. Choose a GCP region where the gateway should be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant GCP resources.
    • IP address — Create or choose an existing regional external IP address.
  4. Supply the following in the Tunnels section for the new tunnel item:
    • Name — The name of the VPN tunnel. The name cannot be changed later.
    • Description — Optionally, type a description.
    • Remote peer IP address — Supply the public IP address of the on-premises VPN gateway.
    • IKE version — Choose the appropriate IKE version supported by the on-premises VPN gateway. IKEv2 is preferred if it's supported by the on-premises device.
    • Shared secret — Provide a pre-shared key used for authentication. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the on-premises VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
    • Routing options — Select Route-based.
    • Remote network IP ranges — Provide a space separated list of multiple IP ranges for the on-premises network. For route based VPNs, the remote IP range or ranges are only used to create routes when you create the tunnel using the GCP Console.
  5. If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can add more tunnels later.
  6. Click Create.

gcloud


In the following commands, replace:

  • [PROJECT_ID] with the ID of your project.
  • [NETWORK] with the name of your GCP network.
  • [REGION] with the GCP region where you need to create the gateway and tunnel.
  • [GW_NAME] with the name of the gateway.
  • [GW_IP_NAME] with a name for the external IP used by the gateway.

Complete the following command sequence to create a GCP gateway:

  1. Create the resources for the Cloud VPN gateway:

    1. Create the target VPN gateway object.

      gcloud compute target-vpn-gateways create [GW_NAME] \
          --network [NETWORK] \
          --region [REGION] \
          --project [PROJECT_ID]
      

    2. Reserve a regional external (static) IP address:

      gcloud compute addresses create [GW_IP_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      

    3. Note the IP address (so you can use it when you configure your on-premises VPN gateway):

      gcloud compute addresses describe [GW_IP_NAME] \
          --region [REGION] \
          --project [PROJECT_ID] \
          --format='flattened(address)'
      

    4. Create three forwarding rules. These rules instruct GCP to send ESP (IPSec), UDP 500, and UDP 4500 traffic to the gateway.

      gcloud compute forwarding-rules create fr-[GW_NAME]-esp \
          --ip-protocol ESP \
          --address [GW_IP_NAME] \
          --target-vpn-gateway [GW_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      

      gcloud compute forwarding-rules create fr-[GW_NAME]-udp500 \
          --ip-protocol UDP \
          --ports 500 \
          --address [GW_IP_NAME] \
          --target-vpn-gateway [GW_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      

      gcloud compute forwarding-rules create fr-[GW_NAME]-udp4500 \
          --ip-protocol UDP \
          --ports 4500 \
          --address [GW_IP_NAME] \
          --target-vpn-gateway [GW_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      

Complete the following command sequence to create a GCP tunnel:

  1. Create the Cloud VPN tunnel with the following details:

    • Replace [TUNNEL_NAME] with a name for the tunnel.
    • Replace [ON_PREM_IP] with the external IP address of the on-premises VPN gateway.
    • Replace [IKE_VERS] with 1 for IKEv1 or 2 for IKEv2.
    • Replace [SHARED_SECRET] with your shared secret. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the on-premises VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
    • Both the --local-traffic-selector and --remote-traffic-selector are set to any (0.0.0.0/0). For route based VPNs, traffic selectors remain “wide open,” leaving it up to routes in each network to direct traffic to the VPN tunnel.

    gcloud compute vpn-tunnels create [TUNNEL_NAME] \
        --peer-address [ON_PREM_IP] \
        --ike-version [IKE_VERS] \
        --shared-secret [SHARED_SECRET] \
        --local-traffic-selector=0.0.0.0/0 \
        --remote-traffic-selector=0.0.0.0/0 \
        --target-vpn-gateway [GW_NAME] \
        --region [REGION] \
        --project [PROJECT_ID]
    

  2. Create a static route for each remote IP range you specified in the --remote-traffic-selector option in the previous step. Repeat this command for each remote IP range, replacing [ROUTE_NAME] with a unique name for the route and [REMOTE_IP_RANGE] with the appropriate remote IP range.

    gcloud compute routes create [ROUTE_NAME] \
        --destination-range [REMOTE_IP_RANGE] \
        --next-hop-vpn-tunnel [TUNNEL_NAME] \
        --network [NETWORK] \
        --next-hop-vpn-tunnel-region [REGION] \
        --project [PROJECT_ID]
    

Follow-up steps

You must complete the following steps before you can use a new Cloud VPN gateway and tunnel:

  1. Set up the on-premises VPN gateway and configure the corresponding tunnel there. Refer to these pages:
  2. Configure firewall rules in GCP and your on-premises network as required. Refer to the Firewall Rules page for suggestions.
  3. Check the status of your tunnel.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...