Setting up an IPsec VPN to Google Cloud with Libreswan & Ubiquiti EdgeRouter
The best practice for setting up a Site-to-Site IPsec VPN with Google Cloud is to use the Cloud VPN service. The Cloud VPN service within GCP provides a 99.9% SLA and is managed by Google on their side. It, however, costs a flat $0.05/hr per tunnel plus regular traffic rates, so if using 24/7 would cost $36.50, which is certainly reasonable for a production environment. For testing or lab purposes, a Google Compute Engine (GCE) instance can perform the VPN functionality as well, at a lower cost.
For lab purposes where substantial throughput isn’t required, the Always Free f1-micro instance that is part of the GCP Free Tier can do the trick. The f1-micro has 1 shared vCPU and .6GB of RAM, but will work for testing and lab usage. In this scenario, since the f1-micro is free, the cost will be the regular traffic rates and anything that goes beyond the Always Free tier restrictions.
With that said, theoretically, this GCE setup could be configured with redundancy with multiple higher-powered instances if scripts were set up to monitor the VPN and manage failover, and all that jazz. It would be tedious, though, so for production just use the Google Cloud VPN.
The following guide will walk through the steps to connect a Google Compute Engine (GCE) instance running Libreswan to a separate network with a Ubiquiti EdgeRouter. There is nothing requiring a Ubiquiti device on the other end, but it’s a popular lab router and avoids having to manage a virtual machine on the other side. If there is something else preferred on the other end, it should be trivial to swap it in. This example is similar to the behavior described in AWS’ “Connecting Multiple VPCs with EC2 Instances” tutorial, for reference.
Without any further ado, let’s begin. We’ll go through the following:
- Creating the GCE Instance for Libreswan
- Configuring the GCE Instance for Libreswan
- Configuring Ubiquiti EdgeOS
- Confirming Direct Connectivity
- Creating GCP Route for Network to Connect
- Confirming Network Connectivity
The following are the parameters used in this example setup, but should be changed to match the actual environment:
GCE Instance Name: gcp-vpn-01
GCE Instance IP (Internal): 10.1.2.2
GCE Instance IP (External): 220.127.116.11
GCP XPN Network Range: 10.1.0.0/16
Lab External IP: 18.104.22.168
Lab Network Range: 192.168.1.0/24
Creating the GCE Instance for Libreswan
Create the instance in your XPN Host Project, if using Cross Project Networking; if only aiming to create the VPN for a single project, simply create it in that project.
CentOS 7 was chosen as the distribution in this example, so if using Debian or Ubuntu then the commands shown will change slightly in regards to package managers used, as well as possibly location of files, etc.
If you have setup Cross Project Networking (XPN), putting the GCE VPN Instance within the XPN Network will let service projects be able to use the connectivity, as opposed to only usable within a single project.
When creating the GCE instance, ensure a Static IP is chosen instead of ephemeral so that when the instance reboots there is no need to change IPs. Make a note of the static IP given (e.g. 22.214.171.124) as it will be used during setup. Also, make note of the subnet range(s) we will be connecting on the GCP side (e.g. 10.1.0.0/16).
You also need to ensure “IP forwarding” is turned on. This is equivalent to “Disable Source / Destination Check” in AWS, and allows the instance to route traffic.
Ideally, be sure to create appropriate firewall rules to only allow the GCE VPN instance to communicate only to other networks that are approved. Leaving the VPN instance open to the world is not recommended.
Configuring the GCE Instance for Libreswan
Once the instance is provisioned, proceed to log in through SSH.
Depending on your distribution, installing “openswan” will either install openswan or libreswan, but both seem mostly compatible. Run the following command within the GCP instance to install openswan:
sudo yum install openswan -y
By default libreswan includes any configuration files under
/etc/ipsec.d/*.conf. We are going to create
gcp-to-lab.conf and put our configuration in here.
We also need a .secrets file that will include our Pre-Shared Key. Create
126.96.36.199 188.8.131.52: PSK “PRESHARED_KEY_HERE”
After both files are created, you should see them both and a few default files inside
Start up openswan by executing:
sudo systemctl start ipsec.service
If you run
ps ax|grep ipsec, you should now see it running:
Enable Openswan to start at boot with:
sudo systemctl enable ipsec.service
Add the following to /etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
sudo /etc/initd.network restart
At this point the GCP instance is configured, so let’s move to the Ubiquiti confiruation.
Configuring Ubiquiti EdgeOS
Log in to EdgeMAX through the GUI; this could also be configured through CLI, but the GUI is pretty simple.
Navigate to the VPN section of the EdgeRouter:
Select the “IPsec Site-to-Site” tab, configure the Peer settings, and then select “Apply”.
Confirming Direct Connectivity
Reboot the GCP Instance to make sure Libreswan starts at boot and connects properly.
After rebooting, log in and run the following:
service ipsec status. Status showing “IPsec SA established tunnel mode” should be displayed.
Try to ping the lab network (e.g. 192.168.1.100) from the GCP VPN instance:
Try to ping the GCP VPN from the lab network:
Creating GCP Route for Network to Connect
Up until this point, a VPN has been created between the GCP Instance (i.e. gcp-vpn-01) and the Lab Network (192.168.1.0/24), but the rest of the GCP network has not been configured to be able to reach the Lab Network. To solve this, we need to create a route within GCP Networking.
Navigate to Networking -> Routes within the Host Project. Select “Create Route”. Configure the route similar to the following:
Confirming Networking Connectivity
From an unrelated Google Compute Engine instance, try to ping to the Lab Network. It should be successful:
And vice versa:
Connectivity between the Lab Network and the GCP Network has now been set up. There is no redundancy, and if either the EdgeRouter or the GCE instance go down then the VPN network connection goes down. The GCE instance configured is small, so performance is not the goal. That said, if testing or requirements allow for those caveats, it’s a nice and comparatively inexpensive connection between a lab and the GCP network.
For production, use Google Cloud VPN.