2. GCP VPN Tunnel Configuration File

Download the VPN configuration file from Google and fill it in with your Orka network configuration.

🚧

Quick navigation

You are here in the workflow: GCP-Orka Connections | 1. GCP Side of the VPN Tunnel | 2. GCP VPN Tunnel Configuration File | 3. Orka Side of the GCP VPN Tunnel | 4. Verifying the GCP VPN Tunnel | GCP VPN Tunnel Troubleshooting


On this page, jump to: Configuration template | Step 1: Get the configuration values | Step 2: Complete the template

📘

You need:

  • The name Outside from your IP Plan.
  • The IP address for the Private-1 network from your IP Plan.
  • The subnet mask for the Private-1 network from your IP Plan.
  • The IPv4 address of your Amazon VPC.
  • The subnet mask for your Amazon VPC converted from its CIDR notation (i.e. 255.255.0.0 instead of /16).

After you have created your site-to-site VPN connection in Google Cloud Platform (GCP), you need to configure your Cisco firewall to recognize the connection and let traffic into your Orka environment.

You can use the configuration template provided below and fill in the missing information. You need to provide data from both GCP and Orka.

Configuration template

📘

IMPORTANT

Unless you have extensive experience with GCP and ASA/ASAv configurations, use the configuration from the template. Otherwise, your site-to-site VPN might not work as expected.

! #1: Placeholders
!
! { gcp_network_address } - The address of the GCP local network that needs to have access to Orka.
! { gcp_network_mask } - The subnet mask of the GCP local network that needs to have access to Orka.
! { gcp_vpn_ip } - The public IP address of the cloud VPN gateway in GCP.
! { macstadium_network_name } - The name of the private network in Orka that needs to be accessed by GCP. By default, this is Private-1.
! { macstadium_network_address } - The IP address of the private network in Orka that needs to be accessed by GCP. By default, this is Private-1.
! { macstadium_network_mask } - The subnet mask of the private network in Orka that needs to be accessed by GCP. By default, this is Private-1.
! { macstadium_public_ip } - The IP address of the public network of your Orka private cloud. By default, this is FW1-Outside.
! { macstadium_outside_interface } - The name of the outside interface of your Cisco ASA/ASAv device. By default, this is Outside.
! { shared_key } - The IPSec pre-shared key used when creating the VPN connection in GCP.
!
! #2: NAT exemption
!
! The name "GCP-NET" must be unique for the Cisco ASA/ASAv device.
!
object-group network GCP-NET
  description GCP Virtual Network
  network-object { gcp_network_address } { gcp_network_mask }

! The name "ONPREM-NET" must be unique for the Cisco ASA/ASAv device.

object-group network ONPREM-NET
  description OnPrem Network
  network-object { macstadium_network_address } { macstadium_network_mask }

! The names "gcp-in", "gcp-acl", and "gcp-filter" must be unique for the Cisco ASA/ASAv device. 

access-list gcp-in extended permit ip host { gcp_vpn_ip } host { macstadium_public_ip }
access-list gcp-acl extended permit ip any4 object-group GCP-NET
access-list gcp-filter extended permit ip object-group GCP-NET object-group ONPREM-NET

nat ({ macstadium_network_name },{ macstadium_outside_interface }) 1 source static ONPREM-NET ONPREM-NET destination static GCP-NET GCP-NET

! #3: IKE & IPSec configuration
!
! The name "gcp" must be unique for the Cisco ASA/ASAv device.

crypto ipsec ikev2 ipsec-proposal gcp
  protocol esp encryption aes-256
  protocol esp integrity sha-1

! The name "gcp-vpn-map" must be unique for the Cisco ASA/ASAv device.

crypto map gcp-vpn-map 1 match address gcp-acl
crypto map gcp-vpn-map 1 set pfs group14
crypto map gcp-vpn-map 1 set peer { gcp_vpn_ip }
crypto map gcp-vpn-map 1 set ikev2 ipsec-proposal gcp

crypto map gcp-vpn-map interface { macstadium_outside_interface }
crypto ikev2 policy 100
  encryption aes-256
  integrity sha512
  group 14
  prf sha
  lifetime seconds 36000
exit

crypto ikev2 enable { macstadium_outside_interface }
crypto ipsec security-association lifetime seconds 10800
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto isakmp identity address
crypto isakmp disconnect-notify
no crypto isakmp nat-traversal
crypto ipsec df-bit clear-df Outside
group-policy gcp internal
group-policy gcp attributes
  vpn-filter value gcp-filter
  vpn-tunnel-protocol ikev2
tunnel-group { gcp_vpn_ip } type ipsec-l2l
tunnel-group { gcp_vpn_ip } general-attributes
 default-group-policy gcp
tunnel-group { gcp_vpn_ip } ipsec-attributes
 isakmp keepalive threshold 10 retry 3
 ikev2 remote-authentication pre-shared-key { shared_key }
 ikev2 local-authentication pre-shared-key { shared_key }

Step 1: Get the configuration values

{ gcp_network_address }

This is the IP address of the GCP local network that needs to have access to Orka.

  1. Verify that you're logged into the GCP console and you are working in the correct project.

  1. From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.

  1. Select Cloud VPN Gateways.
  2. Locate the gateway used by your GCP-Orka tunnel and note the value for Region.

  1. Click the value listed under VPC network.
    The GCP console redirects you to the list of subnets for the selected network.
  2. In the list of subnets, locate the one matching the region you noted in Step 4.
  3. From the respective IP address ranges field, use the IP address without the bit notation at the end (e.g. /16).

{ gcp_network_mask }

This is the subnet mask of the GCP local network that needs to have access to Orka.

  1. Verify that you're logged into the GCP console and you are working in the correct project.

  1. From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.

  1. Select Cloud VPN Gateways.
  2. Locate the gateway used by your GCP-Orka tunnel and note the value for Region.

  1. Click the value listed under VPC network.
    The GCP console redirects you to the list of subnets for the selected network.
  2. In the list of subnets, locate the one matching the region you noted in Step 4.
  3. From the respective IP address ranges field, use the bit notation at the end (e.g. /16) and convert it to a subnet mask. You can use a CIDR calculator such as this CIDR/Netmask Lookup Tool.

{ gcp_vpn_ip }

This is the public IP address of the cloud VPN gateway in GCP.

  1. Verify that you're logged into the GCP console and you are working in the correct project.

  1. From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.

  1. Select Cloud VPN Gateways.
  2. Locate the gateway used by your GCP-Orka tunnel and use the value listed under IP address.

{ macstadium_network_name }

This is Private-1.

{ macstadium_network_address }

This is the IP address of the Private-1 network from your IP Plan.

{ macstadium_network_mask }

This is the subnet mask of the Private-1 network from your IP Plan.

{ macstadium_public_ip }

This is the IP address of the FW1-Outside network from your IP Plan.

{ macstadium_outside_interface }

This is Outside.

{ shared_key }

This is the IPSec pre-shared key used when creating the VPN connection in GCP.

  • You must have this key saved separately.

Step 2: Complete the template

  1. Copy the template into a text editing tool.
  2. Replace all placeholders with their respective values.
  3. Delete the remaining commented lines to clean up the template. Commented lines are indicated by ! at the beginning of the line.
  4. Save your changes.

What's next

Feed the complete configuration into your Cisco ASAv,


© 2019-2023 Copyright MacStadium, Inc. – Documentation built with readme.com. Orka is a registered trademark of MacStadium, Inc.