Let's make a VPN connection between GCP and home NW (RTX1200)

Hello everyone.
My name is Hirata and I belong to the Operations Management Division of the System Solutions Department.

In the previous blog, I introduced AWS and local VPN connection, so
this time I will introduce how to connect GCP and home NW (RTX1200) with VPN.

The slides have been uploaded below as they were presented at an in-house study session.

https://www.slideshare.net/BeyondCorporation/20191017-byd-lthirata-194555992

Most of the content I would like to introduce this time is described in the slides above, so
in this blog I will mainly provide supplementary information.

 

Configuration diagram

The configuration diagram is shown below.

 

GCP settings

Configure the following four settings on the GCP side.
・VPC network settings
・Instance settings
・Firewall settings
・Cloud VPN settings

I will omit the VPC network, instance, and firewall settings as they are outside the main focus of this blog.

Configuring Cloud VPN

Display the Cloud VPN settings on GCP by following the steps below.

Hybrid connection -> VPN

If you have never set up a VPN before, entering this screen will start the VPN setup wizard.

VPNs to choose from: High Availability (HA) VPN and Traditional VPN.
The difference between the two is whether the VPN tunnel is redundant or not.
This time, we will configure the settings using "traditional VPN".

For the following settings, I will introduce the settings screen with an image on the slide, but since it is difficult to see, I will also introduce the settings screen here.

The VPN settings on the cloud side are as follows.

 

Router settings

The router config is listed below. The router uses RTX1200.

[gcp-vpn-test]# show config login password * administrator password * console character ascii console prompt [gcp-vpn-test] login timer 1200 ip route default gateway pp 1 ip route (GCP VPC network) gateway tunnel 1 ip lan1 address (router's private IP address)/24 ip lan1 proxyarp on pp select 1 pp always-on on pppoe use lan2 pppoe auto disconnect off pp auth accept pap chap pp auth myname (ISP connection ID) (ISP connection password) ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ip pp mtu 1454 ip pp secure filter in 210000 ip pp secure filter out 201000 ip pp intrusion detection in on ip pp nat descriptor 1 pp enable 1 tunnel select 1 ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike version 1 2 ipsec ike always-on 1 on ipsec ike encryption 1 aes-cbc ipsec ike group 1 modp1024 ipsec ike hash 1 sha ipsec ike keepalive log 1 off ipsec ike local address 1 (router private IP address) ipsec ike local name 1 (router public IP address) ipv4-addr ipsec ike nat-traversal 1 on ipsec ike pfs 1 on ipsec ike pre-shared-key 1 text (VPN private key passphrase) ipsec ike remote address 1 (public IP address for VPN reserved in GCP) ipsec ike remote name 1 (public IP address for VPN reserved in GCP) ipv4-addr ipsec auto refresh 1 on ip tunnel tcp mss limit auto tunnel enable 1 ip filter 201000 pass * * ip filter 210000 pass * * nat descriptor type 1 masquerade nat descriptor masquerade static 1 3 (router private IP address) esp nat descriptor masquerade static 1 4 (router private IP address) udp 500 ipsec use on ipsec auto refresh on dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.253.2-192.168.253.39/24 dns server 8.8.4.4 8.8.8.8 dns server pp 1 dns private address spoof on

Since I am using a router that was initialized for testing, all filters are allowed. Please be careful when actually using it!

Points to note when setting up RTX

There are some things to keep in mind when setting up RTX.

The settings are "ipsec ike local address" and "ipsec ike local name".

that "ipsec ike local address" requires setting the private IP address set on the router's LAN, while
"ipsec ike local name" requires setting the router's public IP address.

because the settings on the GCP side, ``ipsec ike remote address'' and ``ipsec ike remote name,''
both require setting the public IP address for the VPN reserved by GCP.

However, other than that, the settings are common, so if you keep this in mind, you won't have much trouble setting up RTX.

 

confirmation

The VPN settings are now complete.

Once the VPN is established, the status will be displayed as "established" on the GCP VPN screen.

 

Comparison of GCP and AWS for VPN

We will introduce the results of comparing GCP and AWS regarding VPN.

Regarding the configuration, there are expressions such as "with HA" and "without HA", but
this is the difference between whether or not the VPN tunnel is redundant.

In AWS, VPN is always set up with redundant VPN tunnels.

To explain the distinctive parts of each,
GCP has fewer configuration items on the cloud side and is all on one screen, making configuration easier.

AWS has a feature that automatically generates router config,
which not only makes router configuration easier, but also allows AWS to introduce supported vendors
to customers I felt that it also had the advantage of being easy to use.

 

summary

Continuing from the previous AWS article, we introduced VPN connections with GCP.

In the future, we would like to continue to create articles introducing how to connect the cloud services we handle with local NW using VPN, so please look forward to it!