I ventured to set this up, and it was actually easier than I thought. First, I created the settings in the GCP console.
- Create a static public IP for the VPN.
- Create a GCP cloud router, I chose the default network, the us-east1 region, and the private ASN 65001 for GCP. It’s important to note that only the subnet(s) for the region you select will be advertised in the BGP session.
- Create the VPN connection. Select your Fortigate WAN IP as the Remote peer IP address. I chose IKEv2 and entered my shared secret (a plain text password). Then I select Dynamic (BGP) for routing and selected the router I created in step 1. The last step is to add the BGP session. The Peer ASN is the ASN you’re going to use locally, I chose 65002, but this can be an ASN you own or a private one. I left the route priority as default and used 169.254.0.1 for the Google BGP IP address and 169.254.0.2 for the Peer BGP IP address.
That’s it on the GCP side. Now on the fortigate:
I used the GUI to create the IPSec VPN using the “Custom VPN tunnel” template. Essentially you mirror everything you did on the GCP side.
- Enter the IP address you created for the GCP VPN as the remote peer, select the WAN 1 interface, and enter the preshared key. I enabled Dead Peer Detection (DPD) and left NAT Traversal on. I also used IKEv2 and didn’t modify any of the Phase 2 settings except to give them a name.
- Then I configured the IP addresses on the new sub interface on WAN1 for the IPSec VPN.
- Next, you need to configure BGP, enter your ASN, router-id (the IP you configured in GCP for the BGP session), and add a prefix (IP subnet) you want to advertise to GCP. I used 192.168.1.0/24, as that’s where are my servers sit.
- Last, create the firewall policy. I used a destination address group of RFC 1918 address blocks since GCP networking can only use private IP addresses (even if you include private IP addresses you’re using, it’s ok, it’s just the policy, and the locally attached route will take precedence. The policy I created was a “route based” policy, meaning I used the VPN interface as the source and destination on two separate firewall policies.
And that should be it. Give it about 30 seconds to let the BGP session come up, then select a VM in GCP in the region you configured the VPN for and try to ping it. The config for the Fortigate was as follows:
! -------------------------------------------------------------------------------- ! Google Cloud Platform ! VPN Connection ! ! Your ASN: 65002 ! GCP ASN: 65001 ! GCP IP: y.y.y.y ! GCP BGP Peer IP: 169.254.0.1 ! You BGP Peer IP: 169.254.0.2 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, ! or other DH groups like 2, 14-18, 22, 23, and 24. ! ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. ! If not behind NAT, we recommend disabling NAT-T. ! ! Configuration begins in root VDOM. config vpn ipsec phase1-interface edit "GCP" set interface "wan1" ! The IPSec Dead Peer Detection causes periodic messages to be ! sent to ensure a Security Association remains operational set dpd enable set nattraversal enable set ike-version 2 set proposal aes256-sha1 set dhgrp 15 set keylife 28800 set remote-gw y.y.y.y set psksecret ENC <long base64 encrypted string> set dpd-retryinterval 10 set comments "VPN: GCP" next end ! -------------------------------------------------------------------------------- ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! ! Please note, you may use these additionally supported IPSec parameters for encryption ! like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. config vpn ipsec phase2-interface edit "GCP" set phase1name "GCP" set proposal aes256-sha1 set dhgrp 15 set keepalive enable set auto-negotiate enable set keylifeseconds 3600 next end ! -------------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to GCP. Similarly, traffic from GCP ! will be logically received on this interface. ! config system interface edit "GCP" set vdom "root" set ip 169.254.0.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 169.254.0.1 set interface "wan1" next end ! -------------------------------------------------------------------------------- ! #4 Firewall Policy Configuration ! ! Create a firewall policy permitting traffic from your local subnet to GCP and vice versa ! ! This example policy permits all traffic from the local subnet to the GCP ! config firewall policy edit 25 set srcintf "internal1" set dstintf "GCP" set srcaddr "Main Network" set dstaddr "RFC_1918" set action accept set schedule "always" set service "ALL" set logtraffic disable next edit 26 set srcintf "GCP" set dstintf "internal1" set srcaddr "RFC_1918" set dstaddr "Main Network" set action accept set schedule "always" set service "ALL" set logtraffic disable next end ! -------------------------------------------------------------------------------- ! #5: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between GCP and your VPN gateway. ! GCP will anounce the prefix defined in the BGP session configured as part of the ! Cloud Router. ! config router bgp set as 65002 set router-id 169.254.0.2 config neighbor edit "169.254.0.1" set remote-as 65001 set send-community6 disable next end ! Enter this portion to explicitly advertise a prefix config network edit 1 set prefix 192.168.1.0 255.255.255.0 next end ! Enter this portion to redistribute connected routes, you ! may not want to send all of these config redistribute "connected" set status enable end ! Enter this portion to redistribute connected routes, you ! may not want to send all of these config redistribute "static set status enable end end ! This portion is optional and probably not needed config router prefix-list edit "default_route" config rule edit 1 set prefix 192.168.1.0 255.255.255.0 unset ge unset le next end next end config router route-map edit "gcp_route_map" config rule edit 1 set match-ip-address "default_route" next end next end
Or after figuring this all out, you realize Google made a document for setting this all up already… groan…