Establish VPN tunnel for in-house machine to access GCP network

This article just notes the experience of connection a in-house node to Google Cloud network to ensure the cloud VM and in-house node are accessible.

Network Topology for Demo

Prerequisite

In-House OS: Ubuntu 20.04 LTS

In-House Public IP: 66.66.66.66

In-House Internal IP: 192.168.10.1

In-House Internal CIDR: 192.168.10.0/24

In-House Firewall: UDP(4500), UDP(500)

GCP Public IP: 35.35.35.35

GCP Internal IP: 10.140.0.1

GCP Internal CIDR: 10.140.0.0/20

Setup In-House Environment

Install strongSwan, which is an implementation of IPSec protocol, that can establish a VPN gateway on your in-house machine.

sudo apt update
sudo apt install -y strongswan strongswan-pki strongswan-swanctl

Enable ip forwarding

sysctl -w net.ipv4.ip_forward=1

# edit /etc/sysctl.d/99-forwarding.conf
net.ipv4.ip_forward = 1

# check status
sysctl net.ipv4.ip_forward

Create the IPSec secret file

# edit /etc/ipsec.secrets
# the heading ip is public ip for GCP VPN gateway
# the secret is the pre-shared key for both gateway.
35.35.35.35 : PSK "my-secret"

Create the IPSec config file

# edit /etc/ipsec.conf
conn %default
    ikelifetime=600m # 36,000 s
    keylife=180m # 10,800 s
    rekeymargin=3m
    keyingtries=3
    keyexchange=ikev2
    mobike=no
    ike=aes256gcm16-sha512-modp4096
    esp=aes256gcm16-sha512-modp8192
    authby=psk

conn net-net
    left=192.168.10.1 # The in-house gateway is behind a NAT, use internal-ip here
    leftid=66.66.66.66 # use in-house public ip as name
    leftsubnet=192.168.10.0/24
    leftauth=psk
    right=35.35.35.35 # GCP gateway public ip
    rightid=35.35.35.35 # use GCP gateway public ip as name
    rightsubnet=10.140.0.0/20
    rightauth=psk
    type=tunnel
    # auto=add - means strongSwan won't try to initiate it
    # auto=start - means strongSwan will try to establish connection as well
    # Note that Google Cloud will also try to initiate the connection
    auto=start
    # dpdaction=restart - means strongSwan will try to reconnect if Dead Peer Detection spots
    #                  a problem. Change to 'clear' if needed
    dpdaction=restart

After configuration, relaunch the IPSec

ipsec update && ipsec reload && ipsec restart
ipsec up net-net

# check the status of tunnel connections
ipsec statusall

# see the logs of connections
swanctl --log

Now you can see in-house gateway is trying to connect with remote GCP IP but failed, which is expected.

13[NET] sending packet: from 192.168.10.1[4500] to 35.35.35.35[4500] (57 bytes)

Setup GCP Environment

Use GCP VPN Setup Wizard to create necessary resources, Select Classic VPN and fill in like below:

After the creating, we can check the logs from both GCP side and in-house side:

# check in-house vpn logs.
swanctl --log

08[NET] received packet: from 35.35.35.35[4500] to 192.168.10.1[4500] (57 bytes)
08[ENC] parsed INFORMATIONAL request 297 [ ]
08[ENC] generating INFORMATIONAL response 297 [ ]
08[NET] sending packet: from 192.168.10.1[4500] to 35.35.35.35[4500] (57 bytes)
13[IKE] sending keep alive to 35.35.35.35[4500]

Accessibility Testing

Now the VPN is established, let’s try to test it.

# in-house side.
ping 10.140.0.1

# GCP side.
ping 192.168.10.1

That’s all, hopefully this will help you to establish the site-to-site VPN between in-house network and GCP network.

References

community/archived/using-cloud-vpn-with-strongswan/index.md at master ·…

手把手帶您建立 Google Cloud VPN - iKala Cloud