Creating a Classic VPN using dynamic routing

This page describes how to create a Classic VPN gateway and one tunnel using dynamic routing, which uses the Border Gateway routing Protocol (BGP).

With dynamic routing, you do not specify local or remote traffic selectors; instead, you use a Cloud Router. Route information is exchanged dynamically.

Before you begin

Setting up the following items in GCP makes it easier to configure Cloud VPN:

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the Project selector page

  3. Make sure that billing is enabled for your Google Cloud Platform project.

    Learn how to enable billing

  4. Install and initialize the Cloud SDK.
  1. If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.
  gcloud config set project [PROJECT_ID]

You can also view a project ID that has already been set:

  gcloud config list --format='text(core.project)'

Required permissions

Project owners, editors, and IAM members with the Network Admin role can create new Cloud VPN gateways and tunnels.

Creating a gateway and tunnel

Console


  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Click Create.
  3. On the Create a VPN Connection page, specify the following information in the Google Compute Engine VPN gateway section:
    • Name — The name of the VPN gateway. The name cannot be changed later.
    • Description — Optionally, type a description.
    • Network — Choose the GCP network in which the VPN gateway and tunnel should be created. You can use a VPC network or a legacy network.
    • Region — Cloud VPN gateways and tunnels are regional objects. Choose a GCP region where the gateway should be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant GCP resources.
    • IP address — Create or choose an existing regional external IP address.
  4. Specify the following in the Tunnels section for the new tunnel item:
    • Name — The name of the VPN tunnel. The name cannot be changed later.
    • Description — Optionally, type a description.
    • Remote peer IP address — Specify the public IP address of the peer VPN gateway.
    • IKE version — Choose the appropriate IKE version supported by the peer VPN gateway. IKEv2 is preferred if it's supported by the peer device.
    • Shared secret — Provide a pre-shared key used for authentication. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
    • Routing options — Select Dynamic (BGP).
    • Cloud router — Choose an existing Cloud Router or select Create cloud router to create a new one. If you choose an existing Cloud Router, you'll still create a new BGP session, but the Google ASN is the same. If you choose to create a new Cloud Router, specify the following details:
      • Name — The name of the Cloud Router. The name cannot be changed later.
      • Description — Optionally, type a description.
      • Google ASN — Choose a private ASN (64512 - 65534, 4200000000 - 4294967294). This Google ASN is used for all BGP sessions managed by the Cloud Router. The ASN cannot be changed later.
      • Click Save and continue.
    • BGP session — Click the pencil icon, then specify the following details. When you are done, click Save and continue:
      • Name — The name of the BGP session. It cannot be changed later.
      • Peer ASN — The private ASN (64512 - 65534, 4200000000 - 4294967294) used by your peer VPN gateway.
      • Advertised route priority — (Optional) The base priority Cloud Router uses when advertising the “to GCP” routes. For more information, see Route metrics. Your peer VPN gateway imports these as MED values.
      • Cloud Router BGP IP and BGP peer IP — The two BGP interface IP addresses must be link-local IP addresses belonging to a common /30 CIDR from the 169.254.0.0/16 block. Each BGP IP defines the respective link-local IP used to exchange route information. For example, 169.254.1.1 and 169.254.1.2 belong to a common /30 block.
  5. If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can add more tunnels later.
  6. Click Create.

gcloud


In the following commands, replace:

  • [PROJECT_ID] with the ID of your project.
  • [NETWORK] with the name of your GCP network.
  • [REGION] with the GCP region where you need to create the gateway and tunnel.
  • (Optional) The --target-vpn-gateway-region is the region of the Classic VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
  • [GW_NAME] with the name of the gateway.
  • [GW_IP_NAME] with a name for the external IP used by the gateway.

Complete the following command sequence to create a GCP gateway:

  1. Create the resources for the Cloud VPN gateway:

    1. Create the target VPN gateway object.

      gcloud compute target-vpn-gateways create [GW_NAME] \
          --network [NETWORK] \
          --region [REGION] \
          --project [PROJECT_ID]
      
    2. Reserve a regional external (static) IP address:

      gcloud compute addresses create [GW_IP_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      
    3. Note the IP address (so you can use it when you configure your peer VPN gateway):

      gcloud compute addresses describe [GW_IP_NAME] \
          --region [REGION] \
          --project [PROJECT_ID] \
          --format='flattened(address)'
      
    4. Create three forwarding rules. These rules instruct GCP to send ESP (IPsec), UDP 500, and UDP 4500 traffic to the gateway.

       gcloud compute forwarding-rules create fr-[GW_NAME]-esp \
           --ip-protocol ESP \
           --address [GW_IP_NAME] \
           --target-vpn-gateway [GW_NAME] \
           --region [REGION] \
           --project [PROJECT_ID]
      
      gcloud compute forwarding-rules create fr-[GW_NAME]-udp500 \
          --ip-protocol UDP \
          --ports 500 \
          --address [GW_IP_NAME] \
          --target-vpn-gateway [GW_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      
      gcloud compute forwarding-rules create fr-[GW_NAME]-udp4500 \
          --ip-protocol UDP \
          --ports 4500 \
          --address [GW_IP_NAME] \
          --target-vpn-gateway [GW_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      
  2. If you have not already created a Cloud Router, or if you want to create a new Cloud Router, use the following command. Replace [ROUTER_NAME] with a name for the Cloud Router, and [GOOGLE_ASN] with a private ASN (64512 - 65534, 4200000000 - 4294967294). The Google ASN is used for all BGP sessions on the same Cloud Router, and it cannot be changed later.

      gcloud compute routers create [ROUTER_NAME] \
      --asn [GOOGLE_ASN] \
      --network [NETWORK] \
      --region [REGION] \
      --project [PROJECT_ID]
    
  3. Create the Cloud VPN tunnel with the following details:

    • Replace [TUNNEL_NAME] with a name for the tunnel.
    • Replace [ON_PREM_IP] with the external IP address of the peer VPN gateway.
    • Replace [IKE_VERS] with 1 for IKEv1 or 2 for IKEv2.
    • Replace [SHARED_SECRET] with your shared secret. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
    • Replace [ROUTER_NAME] with the name of the Cloud Router you want to use to manage routes for the Cloud VPN tunnel. The Cloud Router must exist before you create the tunnel.

      gcloud compute vpn-tunnels create [TUNNEL_NAME] \
          --peer-address [ON_PREM_IP] \
          --ike-version [IKE_VERS] \
          --shared-secret [SHARED_SECRET] \
          --router [ROUTER_NAME] \
          --target-vpn-gateway [GW_NAME] \
          --region [REGION] \
          --project [PROJECT_ID]
      
  4. Configure a BGP session for the Cloud Router by creating an interface and BGP peer. Choose one of the following methods:

    • To let GCP automatically choose the link-local BGP IP addresses:

      1. Add a new interface to the Cloud Router. Supply a name for the interface by replacing [INTERFACE_NAME].

        gcloud compute routers add-interface [ROUTER_NAME] \
            --interface-name [INTERFACE_NAME] \
            --vpn-tunnel [TUNNEL_NAME] \
            --region [REGION] \
            --project [PROJECT_ID]
        
      2. Add a BGP peer to the interface. Replace [PEER_NAME] with a name for the peer, and [PEER_ASN] with the ASN configured for the peer VPN gateway.

        gcloud compute routers add-bgp-peer [ROUTER_NAME] \
            --peer-name [PEER_NAME] \
            --peer-asn [PEER_ASN] \
            --interface [INTERFACE_NAME] \
            --region [REGION] \
            --project [PROJECT_ID]
        
      3. List the BGP IP addresses chosen by the Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface should be listed with the highest index number. The Peer IP Address is the BGP IP you should use to configure your peer VPN gateway.

        gcloud compute routers get-status [ROUTER_NAME] \
             --region [REGION] \
             --project [PROJECT_ID] \
             --format='flattened(result.bgpPeerStatus[].ipAddress, \
             result.bgpPeerStatus[].peerIpAddress)'
        

        Expected output for a Cloud Router managing a single Cloud VPN tunnel (index 0) looks like the following, where [GOOGLE_BGP_IP] represents the BGP IP of the Cloud Router's interface and [ON_PREM_BGP_IP] represents the BGP IP of its peer.

        result.bgpPeerStatus[0].ipAddress:     [GOOGLE_BGP_IP]
        result.bgpPeerStatus[0].peerIpAddress: [ON_PREM_BGP_IP]
        
    • To manually assign the BGP IP addresses associated with the GCP BGP interface and peer:

      1. Decide on a pair of link-local BGP IP addresses in a /30 block from the 169.254.0.0/16 range. Assign one of these BGP IP addresses to the Cloud Router in the next command by replacing [GOOGLE_BGP_IP]. The other BGP IP address is used for your peer VPN gateway. You must configure your device to use that address, and replace [ON_PREM_BGP_IP] in the last command, below.

      2. Add a new interface to the Cloud Router. Specify a name for the interface by replacing [INTERFACE_NAME].

        gcloud compute routers add-interface [ROUTER_NAME] \
            --interface-name [INTERFACE_NAME] \
            --vpn-tunnel [TUNNEL_NAME] \
            --ip-address [GOOGLE_BGP_IP] \
            --mask-length 30 \
            --region [REGION] \
            --project [PROJECT_ID]
        
      3. Add a BGP peer to the interface. Replace [PEER_NAME] with a name for the peer, and [PEER_ASN] with the ASN configured for the peer VPN gateway.

        gcloud compute routers add-bgp-peer [ROUTER_NAME] \
            --peer-name [PEER_NAME] \
            --peer-asn [PEER_ASN] \
            --interface [INTERFACE_NAME] \
            --peer-ip-address [ON_PREM_BGP_IP] \
            --region [REGION] \
            --project [PROJECT_ID]
        

Follow-up steps

You must complete the following steps before you can use a new Cloud VPN gateway and tunnel:

  1. Set up the peer VPN gateway and configure the corresponding tunnel there. Refer to these pages:
  2. Configure firewall rules in GCP and your peer network as required. Refer to the firewall rules page for suggestions.
  3. Check the status of your tunnel.

What's next

Var denne siden nyttig? Si fra hva du synes:

Send tilbakemelding om ...