2. GCP VPN Tunnel Configuration File
Download the VPN configuration file from Google and fill it in with your Orka network configuration.
Quick navigation
You are here in the workflow: GCP-Orka Connections | 1. GCP Side of the VPN Tunnel | 2. GCP VPN Tunnel Configuration File | 3. Orka Side of the GCP VPN Tunnel | 4. Verifying the GCP VPN Tunnel | GCP VPN Tunnel Troubleshooting
On this page, jump to: Configuration template | Step 1: Get the configuration values | Step 2: Complete the template
You need:
After you have created your site-to-site VPN connection in Google Cloud Platform (GCP), you need to configure your Cisco firewall to recognize the connection and let traffic into your Orka environment.
You can use the configuration template provided below and fill in the missing information. You need to provide data from both GCP and Orka.
Configuration template
IMPORTANT
Unless you have extensive experience with GCP and ASA/ASAv configurations, use the configuration from the template. Otherwise, your site-to-site VPN might not work as expected.
! #1: Placeholders
!
! { gcp_network_address } - The address of the GCP local network that needs to have access to Orka.
! { gcp_network_mask } - The subnet mask of the GCP local network that needs to have access to Orka.
! { gcp_vpn_ip } - The public IP address of the cloud VPN gateway in GCP.
! { macstadium_network_name } - The name of the private network in Orka that needs to be accessed by GCP. By default, this is Private-1.
! { macstadium_network_address } - The IP address of the private network in Orka that needs to be accessed by GCP. By default, this is Private-1.
! { macstadium_network_mask } - The subnet mask of the private network in Orka that needs to be accessed by GCP. By default, this is Private-1.
! { macstadium_public_ip } - The IP address of the public network of your Orka private cloud. By default, this is FW1-Outside.
! { macstadium_outside_interface } - The name of the outside interface of your Cisco ASA/ASAv device. By default, this is Outside.
! { shared_key } - The IPSec pre-shared key used when creating the VPN connection in GCP.
!
! #2: NAT exemption
!
! The name "GCP-NET" must be unique for the Cisco ASA/ASAv device.
!
object-group network GCP-NET
description GCP Virtual Network
network-object { gcp_network_address } { gcp_network_mask }
! The name "ONPREM-NET" must be unique for the Cisco ASA/ASAv device.
object-group network ONPREM-NET
description OnPrem Network
network-object { macstadium_network_address } { macstadium_network_mask }
! The names "gcp-in", "gcp-acl", and "gcp-filter" must be unique for the Cisco ASA/ASAv device.
access-list gcp-in extended permit ip host { gcp_vpn_ip } host { macstadium_public_ip }
access-list gcp-acl extended permit ip any4 object-group GCP-NET
access-list gcp-filter extended permit ip object-group GCP-NET object-group ONPREM-NET
nat ({ macstadium_network_name },{ macstadium_outside_interface }) 1 source static ONPREM-NET ONPREM-NET destination static GCP-NET GCP-NET
! #3: IKE & IPSec configuration
!
! The name "gcp" must be unique for the Cisco ASA/ASAv device.
crypto ipsec ikev2 ipsec-proposal gcp
protocol esp encryption aes-256
protocol esp integrity sha-1
! The name "gcp-vpn-map" must be unique for the Cisco ASA/ASAv device.
crypto map gcp-vpn-map 1 match address gcp-acl
crypto map gcp-vpn-map 1 set pfs group14
crypto map gcp-vpn-map 1 set peer { gcp_vpn_ip }
crypto map gcp-vpn-map 1 set ikev2 ipsec-proposal gcp
crypto map gcp-vpn-map interface { macstadium_outside_interface }
crypto ikev2 policy 100
encryption aes-256
integrity sha512
group 14
prf sha
lifetime seconds 36000
exit
crypto ikev2 enable { macstadium_outside_interface }
crypto ipsec security-association lifetime seconds 10800
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto isakmp identity address
crypto isakmp disconnect-notify
no crypto isakmp nat-traversal
crypto ipsec df-bit clear-df Outside
group-policy gcp internal
group-policy gcp attributes
vpn-filter value gcp-filter
vpn-tunnel-protocol ikev2
tunnel-group { gcp_vpn_ip } type ipsec-l2l
tunnel-group { gcp_vpn_ip } general-attributes
default-group-policy gcp
tunnel-group { gcp_vpn_ip } ipsec-attributes
isakmp keepalive threshold 10 retry 3
ikev2 remote-authentication pre-shared-key { shared_key }
ikev2 local-authentication pre-shared-key { shared_key }
Step 1: Get the configuration values
{ gcp_network_address }
{ gcp_network_address }
This is the IP address of the GCP local network that needs to have access to Orka.
- Verify that you're logged into the GCP console and you are working in the correct project.
- From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.
- Select Cloud VPN Gateways.
- Locate the gateway used by your GCP-Orka tunnel and note the value for Region.
- Click the value listed under VPC network.
The GCP console redirects you to the list of subnets for the selected network. - In the list of subnets, locate the one matching the region you noted in Step 4.
- From the respective IP address ranges field, use the IP address without the bit notation at the end (e.g.
/16
).
{ gcp_network_mask }
{ gcp_network_mask }
This is the subnet mask of the GCP local network that needs to have access to Orka.
- Verify that you're logged into the GCP console and you are working in the correct project.
- From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.
- Select Cloud VPN Gateways.
- Locate the gateway used by your GCP-Orka tunnel and note the value for Region.
- Click the value listed under VPC network.
The GCP console redirects you to the list of subnets for the selected network. - In the list of subnets, locate the one matching the region you noted in Step 4.
- From the respective IP address ranges field, use the bit notation at the end (e.g.
/16
) and convert it to a subnet mask. You can use a CIDR calculator such as this CIDR/Netmask Lookup Tool.
{ gcp_vpn_ip }
{ gcp_vpn_ip }
This is the public IP address of the cloud VPN gateway in GCP.
- Verify that you're logged into the GCP console and you are working in the correct project.
- From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.
- Select Cloud VPN Gateways.
- Locate the gateway used by your GCP-Orka tunnel and use the value listed under IP address.
{ macstadium_network_name }
{ macstadium_network_name }
This is Private-1
.
{ macstadium_network_address }
{ macstadium_network_address }
This is the IP address of the Private-1
network from your IP Plan.
{ macstadium_network_mask }
{ macstadium_network_mask }
This is the subnet mask of the Private-1
network from your IP Plan.
{ macstadium_public_ip }
{ macstadium_public_ip }
This is the IP address of the FW1-Outside
network from your IP Plan.
{ macstadium_outside_interface }
{ macstadium_outside_interface }
This is Outside
.
{ shared_key }
{ shared_key }
This is the IPSec pre-shared key used when creating the VPN connection in GCP.
- You must have this key saved separately.
Step 2: Complete the template
- Copy the template into a text editing tool.
- Replace all placeholders with their respective values.
- Delete the remaining commented lines to clean up the template. Commented lines are indicated by
!
at the beginning of the line. - Save your changes.
What's next
Updated about 1 year ago