Creating a Classic VPN using static routing

This page describes how to create a Classic VPN gateway and one tunnel using static routing, which in this case means using a policy based or route based static routing option.

With route based VPN, you specify only the remote traffic selector. If you need to specify a local traffic selector, create a Cloud VPN tunnel that uses policy based routing instead.

Routing option differences

Policy based routing should be considered when a peer VPN gateway cannot use Border Gateway Protocol (BGP) to dynamically exchange routes. With this option, local IP ranges (left side) and remote IP ranges (right side) are defined. These local and remote IP are the traffic selectors for the tunnel.

Policy based routing uses local and a remote traffic selectors.

Route based VPN tunnels are similar to tunnels that use policy based routing, except that only the remote IP ranges (right side) are specified. The list of local IP ranges is assumed to be any network (0.0.0.0/0), so you only specify the remote traffic selector.

As with policy based routing, Google Cloud automatically creates a static route for each remote IP address range.

Review the following documentation for background information before setting up either type of static routing option:

For even more details see the entire Networks and tunnel routing page.

Before you begin

Setting up the following items in Google Cloud makes it easier to configure Cloud VPN:

  1. Faça login na sua Conta do Google.

    Se você ainda não tiver uma, inscreva-se.

  2. Selecione ou crie um projeto do Google Cloud Platform.

    Acessar a página Gerenciar recursos

  3. Verifique se o faturamento foi ativado no projeto do Google Cloud Platform.

    Saiba como ativar o faturamento

  4. Instale e inicialize o SDK do Cloud.
  1. If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.
  gcloud config set project [PROJECT_ID]

You can also view a project ID that has already been set:

  gcloud config list --format='text(core.project)'

Creating a custom Virtual Private Cloud network and subnet

Before creating an Classic VPN gateway and tunnel, you must create a Virtual Private Cloud network and at least one subnet in the region where the Classic VPN gateway will reside.

Creating a gateway and tunnel

The VPN setup wizard is the only console option for creating a Classic VPN gateway. The wizard includes all required configuration steps for creating a Classic VPN gateway, tunnels, BGP sessions, and an external VPN gateway resource. However, you can complete certain steps later. For example, configuring BGP sessions.

The Create a VPN button only supports creating HA VPN gateways.

VPN wizard

Configure the Gateway

  1. Go to the VPN page in the Google Cloud Console.
    Go to the VPN page
  2. Click VPN setup wizard.
  3. On the Create a VPN page, specify Classic VPN.
  4. Click Continue.
  5. On the Create a VPN connection page, specify the following gateway settings:
    • Name — The name of the VPN gateway. The name cannot be changed later.
    • Description — Optionally, add a description.
    • Network — Specify an existing VPC network in which to create the VPN gateway and tunnel.
    • Region — Cloud VPN gateways and tunnels are regional objects. Choose a Google Cloud region where the gateway will be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant Google Cloud resources.
    • IP address — Create or choose an existing regional external IP address.

Configure Tunnels

  1. Specify the following settings in the Tunnels section for the new tunnel:

    • Name — The name of the VPN tunnel. The name cannot be changed later.
    • Description — Optionally, type a description.
    • Remote peer IP address — Specify the public IP address of the peer VPN gateway.
    • IKE version — Choose the appropriate IKE version supported by the peer VPN gateway. IKEv2 is preferred if it's supported by the peer device.
    • Shared secret — Provide a pre-shared key used for authentication. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.

    For Policy based tunnels

    • Under Routing options, select Policy-based.
    • Under Remote network IP ranges, provide a space-separated list of the IP ranges used by the peer network. This is the remote traffic selector: the "right side" from the perspective of Cloud VPN.
    • Under Local IP ranges, select one of the following methods:
      • Use the Local subnetworks menu to choose an existing local IP range, or
      • Use the Local IP ranges field to enter a list of space-separated IP ranges used in your VPC network. Refer to traffic selectors for important considerations.

    For Route based tunnels

    • Routing options — Select Route-based.
    • Remote network IP ranges — Provide a space-separated list of the IP ranges used by the peer network. These ranges are used to create custom static routes whose next hop is this VPN tunnel.
  2. If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can also add more tunnels later.

  3. Click Create.

gcloud

In the following commands, replace:

  • project-id with the ID of your project.
  • network with the name of your Google Cloud network.
  • region with the Google Cloud region where you need to create the gateway and tunnel.
  • (Optional) The --target-vpn-gateway-region is the region of the Classic VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
  • gw-name with the name of the gateway.
  • gw-ip-name with a name for the external IP used by the gateway.

Complete the following command sequence to create a Google Cloud gateway:

  1. Create the resources for the Cloud VPN gateway:

    1. Create the target VPN gateway object.

      gcloud compute target-vpn-gateways create gw-name \
          --network network \
          --region region \
          --project project-id
      
    2. Reserve a regional external (static) IP address:

      gcloud compute addresses create gw-ip-name \
          --region region \
          --project project-id
      
    3. Note the IP address (so you can use it when you configure your peer VPN gateway):

      gcloud compute addresses describe gw-ip-name \
          --region region \
          --project project-id \
          --format='flattened(address)'
      
    4. Create three forwarding rules. These rules instruct Google Cloud to send ESP (IPsec), UDP 500, and UDP 4500 traffic to the gateway.

      gcloud compute forwarding-rules create fr-gw-name-esp \
          --ip-protocol ESP \
          --address gw-ip-name \
          --target-vpn-gateway gw-name \
          --region region \
          --project project-id
      
      gcloud compute forwarding-rules create fr-gw-name-udp500 \
          --ip-protocol UDP \
          --ports 500 \
          --address gw-ip-name \
          --target-vpn-gateway gw-name \
          --region region \
          --project project-id
      
      gcloud compute forwarding-rules create fr-gw-name-udp4500 \
          --ip-protocol UDP \
          --ports 4500 \
          --address gw-ip-name \
          --target-vpn-gateway gw-name \
          --region region \
          --project project-id
      
  2. Create the Cloud VPN tunnel with the following details:

    • Replace tunnel-name with a name for the tunnel.
    • Replace on-prem-ip with the external IP address of the peer VPN gateway.
    • Replace ike-vers with 1 for IKEv1 or 2 for IKEv2.
    • Replace shared-secret with your shared secret. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.

    For Policy based VPN:

    • Replace local-ip-ranges with a comma-delimited list of the Google Cloud IP ranges. For example, you can supply the CIDR block for each subnet in a VPC network. This is the "left side" from the perspective of Cloud VPN.
    • Replace remote-ip-ranges with a comma-delimited list of the peer network IP ranges. This is the "right side" from the perspective of Cloud VPN.

    Policy based VPN command:

    gcloud compute vpn-tunnels create tunnel-name \
        --peer-address on-prem-ip \
        --ike-version ike-vers \
        --shared-secret shared-secret \
        --local-traffic-selector=local-ip-ranges \
        --remote-traffic-selector=remote-ip-ranges \
        --target-vpn-gateway gw-name \
        --region region \
        --project project-id
    

    For Route based VPN:

    gcloud compute vpn-tunnels create tunnel-name \
        --peer-address on-prem-ip \
        --ike-version ike-vers \
        --shared-secret shared-secret \
        --local-traffic-selector=0.0.0.0/0 \
        --remote-traffic-selector=0.0.0.0/0 \
        --target-vpn-gateway gw-name \
        --region region \
        --project project-id
    
  3. Create a static route for each remote IP range you specified in the --remote-traffic-selector option in the previous step. Repeat this command for each remote IP range, replacing route-name with a unique name for the route and [REMOTE_IP_RANGE] with the appropriate remote IP range.

    gcloud compute routes create route-name \
        --destination-range remote-ip-range \
        --next-hop-vpn-tunnel tunnel-name \
        --network network \
        --next-hop-vpn-tunnel-region region \
        --project project-id
    

Follow-up steps

You must complete the following steps before you can use a new Cloud VPN gateway and tunnel:

  1. Set up the peer VPN gateway and configure the corresponding tunnel there. Refer to these pages:
  2. Configure firewall rules in Google Cloud and your peer network as required. Refer to the Firewall Rules page for suggestions.
  3. Check the status of your tunnel, including forwarding rules.
  4. You can view your VPN routes by visiting the project routing table
    and filtering for 'Next hop type:VPN tunnel'.

What's next

Esta página foi útil? Conte sua opinião sobre:

Enviar comentários sobre…