Setting up an IPsec VPN to Google Cloud with Libreswan & Ubiquiti EdgeRouter

The best practice for setting up a Site-to-Site IPsec VPN with Google Cloud is to use the Cloud VPN service. The Cloud VPN service within GCP provides a 99.9% SLA and is managed by Google on their side. It, however, costs a flat $0.05/hr per tunnel plus regular traffic rates, so if using 24/7 would cost $36.50, which is certainly reasonable for a production environment. For testing or lab purposes, a Google Compute Engine (GCE) instance can perform the VPN functionality as well, at a lower cost.

For lab purposes where substantial throughput isn’t required, the Always Free f1-micro instance that is part of the GCP Free Tier can do the trick. The f1-micro has 1 shared vCPU and .6GB of RAM, but will work for testing and lab usage. In this scenario, since the f1-micro is free, the cost will be the regular traffic rates and anything that goes beyond the Always Free tier restrictions.

GCP Internet Egress Rates

With that said, theoretically, this GCE setup could be configured with redundancy with multiple higher-powered instances if scripts were set up to monitor the VPN and manage failover, and all that jazz. It would be tedious, though, so for production just use the Google Cloud VPN.

The following guide will walk through the steps to connect a Google Compute Engine (GCE) instance running Libreswan to a separate network with a Ubiquiti EdgeRouter. There is nothing requiring a Ubiquiti device on the other end, but it’s a popular lab router and avoids having to manage a virtual machine on the other side. If there is something else preferred on the other end, it should be trivial to swap it in. This example is similar to the behavior described in AWS’ “Connecting Multiple VPCs with EC2 Instances” tutorial, for reference.

Without any further ado, let’s begin. We’ll go through the following:

  1. Creating the GCE Instance for Libreswan
  2. Configuring the GCE Instance for Libreswan
  3. Configuring Ubiquiti EdgeOS
  4. Confirming Direct Connectivity
  5. Creating GCP Route for Network to Connect
  6. Confirming Network Connectivity

The following are the parameters used in this example setup, but should be changed to match the actual environment:

GCE Instance Name: gcp-vpn-01
GCE Instance IP (Internal): 10.1.2.2
GCE Instance IP (External): 35.185.42.90
GCP XPN Network Range: 10.1.0.0/16
Lab External IP: 104.139.101.201
Lab Network Range: 192.168.1.0/24

Creating the GCE Instance for Libreswan

Overview

Create the instance in your XPN Host Project, if using Cross Project Networking; if only aiming to create the VPN for a single project, simply create it in that project.

CentOS 7 was chosen as the distribution in this example, so if using Debian or Ubuntu then the commands shown will change slightly in regards to package managers used, as well as possibly location of files, etc.

GCP VPN Instance Overview

Networking

If you have setup Cross Project Networking (XPN), putting the GCE VPN Instance within the XPN Network will let service projects be able to use the connectivity, as opposed to only usable within a single project.

When creating the GCE instance, ensure a Static IP is chosen instead of ephemeral so that when the instance reboots there is no need to change IPs. Make a note of the static IP given (e.g. 35.185.42.90) as it will be used during setup. Also, make note of the subnet range(s) we will be connecting on the GCP side (e.g. 10.1.0.0/16).

You also need to ensure “IP forwarding” is turned on. This is equivalent to “Disable Source / Destination Check” in AWS, and allows the instance to route traffic.

Networking Settings for GCP VPN Instance

Ideally, be sure to create appropriate firewall rules to only allow the GCE VPN instance to communicate only to other networks that are approved. Leaving the VPN instance open to the world is not recommended.

Configuring the GCE Instance for Libreswan

Once the instance is provisioned, proceed to log in through SSH.

GCP VPN Instance Created

Install libreswan

Depending on your distribution, installing “openswan” will either install openswan or libreswan, but both seem mostly compatible. Run the following command within the GCP instance to install openswan: sudo yum install openswan -y

Libreswan Installed

Configure Openswan

By default libreswan includes any configuration files under /etc/ipsec.d/*.conf. We are going to create gcp-to-lab.conf and put our configuration in here.

conn gcp-to-lab 
type=tunnel
authby=secret
left=%defaultroute
leftid=35.185.42.90
leftnexthop=%defaultroute
leftsubnet=10.1.0.0/16
right=104.139.101.201
rightsubnet=192.168.1.0/24
pfs=yes
auto=start

We also need a .secrets file that will include our Pre-Shared Key. Create gcp-to-lab.secrets inside /etc/ipsec.d/.

35.185.42.90 104.139.101.201: PSK “PRESHARED_KEY_HERE”

After both files are created, you should see them both and a few default files inside /etc/ipsec.d/:

Configured Openswan /etc/ipsec.d/ Folder

Start Openswan

Start up openswan by executing: sudo systemctl start ipsec.service

If you run ps ax|grep ipsec, you should now see it running:

Openswan Running

Enable Openswan to start at boot with: sudo systemctl enable ipsec.service

Add the following to /etc/sysctl.conf:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Restart networking: sudo /etc/initd.network restart

At this point the GCP instance is configured, so let’s move to the Ubiquiti confiruation.

Configuring Ubiquiti EdgeOS

Log in to EdgeMAX through the GUI; this could also be configured through CLI, but the GUI is pretty simple.

Navigate to the VPN section of the EdgeRouter:

VPN Tab Screenshot

Select the “IPsec Site-to-Site” tab, configure the Peer settings, and then select “Apply”.

Example VPN Configuration Settings (*PSK is temporary for demonstration purposes)

Confirming Direct Connectivity

Reboot the GCP Instance to make sure Libreswan starts at boot and connects properly.

After rebooting, log in and run the following: service ipsec status. Status showing “IPsec SA established tunnel mode” should be displayed.

Successful Openswan Status

Try to ping the lab network (e.g. 192.168.1.100) from the GCP VPN instance:

Successfully Pinging Lab from GCP

Try to ping the GCP VPN from the lab network:

Successfully Pinging GCP from Lab

Creating GCP Route for Network to Connect

Up until this point, a VPN has been created between the GCP Instance (i.e. gcp-vpn-01) and the Lab Network (192.168.1.0/24), but the rest of the GCP network has not been configured to be able to reach the Lab Network. To solve this, we need to create a route within GCP Networking.

Navigate to Networking -> Routes within the Host Project. Select “Create Route”. Configure the route similar to the following:

Example Route to Lab Network through VPN Instance

Confirming Networking Connectivity

From an unrelated Google Compute Engine instance, try to ping to the Lab Network. It should be successful:

Successful VPN Connectivity from GCP Network to Lab Network

And vice versa:

Successful VPN Connectivity from Lab Network to GCP Network

Final Thoughts

Connectivity between the Lab Network and the GCP Network has now been set up. There is no redundancy, and if either the EdgeRouter or the GCE instance go down then the VPN network connection goes down. The GCE instance configured is small, so performance is not the goal. That said, if testing or requirements allow for those caveats, it’s a nice and comparatively inexpensive connection between a lab and the GCP network.

For production, use Google Cloud VPN.