I ventured to set this up, and it was actually easier than I thought. First, I created the settings in the GCP console.
- Create a static public IP for the VPN.
- Create a GCP cloud router, I chose the default network, the us-east1 region, and the private ASN 65001 for GCP. It’s important to note that only the subnet(s) for the region you select will be advertised in the BGP session.
- Create the VPN connection. Select your Fortigate WAN IP as the Remote peer IP address. I chose IKEv2 and entered my shared secret (a plain text password). Then I select Dynamic (BGP) for routing and selected the router I created in step 1. The last step is to add the BGP session. The Peer ASN is the ASN you’re going to use locally, I chose 65002, but this can be an ASN you own or a private one. I left the route priority as default and used 169.254.0.1 for the Google BGP IP address and 169.254.0.2 for the Peer BGP IP address.
That’s it on the GCP side. Now on the fortigate:
I used the GUI to create the IPSec VPN using the “Custom VPN tunnel” template. Essentially you mirror everything you did on the GCP side.
- Enter the IP address you created for the GCP VPN as the remote peer, select the WAN 1 interface, and enter the preshared key. I enabled Dead Peer Detection (DPD) and left NAT Traversal on. I also used IKEv2 and didn’t modify any of the Phase 2 settings except to give them a name.
- Then I configured the IP addresses on the new sub interface on WAN1 for the IPSec VPN.
- Next, you need to configure BGP, enter your ASN, router-id (the IP you configured in GCP for the BGP session), and add a prefix (IP subnet) you want to advertise to GCP. I used 192.168.1.0/24, as that’s where are my servers sit.
- Last, create the firewall policy. I used a destination address group of RFC 1918 address blocks since GCP networking can only use private IP addresses (even if you include private IP addresses you’re using, it’s ok, it’s just the policy, and the locally attached route will take precedence. The policy I created was a “route based” policy, meaning I used the VPN interface as the source and destination on two separate firewall policies.
And that should be it. Give it about 30 seconds to let the BGP session come up, then select a VM in GCP in the region you configured the VPN for and try to ping it. The config for the Fortigate was as follows:
! --------------------------------------------------------------------------------
! Google Cloud Platform
! VPN Connection
!
! Your ASN: 65002
! GCP ASN: 65001
! GCP IP: y.y.y.y
! GCP BGP Peer IP: 169.254.0.1
! You BGP Peer IP: 169.254.0.2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256,
! or other DH groups like 2, 14-18, 22, 23, and 24.
!
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500.
! If not behind NAT, we recommend disabling NAT-T.
!
! Configuration begins in root VDOM.
config vpn ipsec phase1-interface
edit "GCP"
set interface "wan1"
! The IPSec Dead Peer Detection causes periodic messages to be
! sent to ensure a Security Association remains operational
set dpd enable
set nattraversal enable
set ike-version 2
set proposal aes256-sha1
set dhgrp 15
set keylife 28800
set remote-gw y.y.y.y
set psksecret ENC <long base64 encrypted string>
set dpd-retryinterval 10
set comments "VPN: GCP"
next
end
! --------------------------------------------------------------------------------
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
! Please note, you may use these additionally supported IPSec parameters for encryption
! like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
config vpn ipsec phase2-interface
edit "GCP"
set phase1name "GCP"
set proposal aes256-sha1
set dhgrp 15
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
next
end
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to GCP. Similarly, traffic from GCP
! will be logically received on this interface.
!
config system interface
edit "GCP"
set vdom "root"
set ip 169.254.0.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.0.1
set interface "wan1"
next
end
! --------------------------------------------------------------------------------
! #4 Firewall Policy Configuration
!
! Create a firewall policy permitting traffic from your local subnet to GCP and vice versa
!
! This example policy permits all traffic from the local subnet to the GCP
!
config firewall policy
edit 25
set srcintf "internal1"
set dstintf "GCP"
set srcaddr "Main Network"
set dstaddr "RFC_1918"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 26
set srcintf "GCP"
set dstintf "internal1"
set srcaddr "RFC_1918"
set dstaddr "Main Network"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
! --------------------------------------------------------------------------------
! #5: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between GCP and your VPN gateway.
! GCP will anounce the prefix defined in the BGP session configured as part of the
! Cloud Router.
!
config router bgp
set as 65002
set router-id 169.254.0.2
config neighbor
edit "169.254.0.1"
set remote-as 65001
set send-community6 disable
next
end
! Enter this portion to explicitly advertise a prefix
config network
edit 1
set prefix 192.168.1.0 255.255.255.0
next
end
! Enter this portion to redistribute connected routes, you
! may not want to send all of these
config redistribute "connected"
set status enable
end
! Enter this portion to redistribute connected routes, you
! may not want to send all of these
config redistribute "static
set status enable
end
end
! This portion is optional and probably not needed
config router prefix-list
edit "default_route"
config rule
edit 1
set prefix 192.168.1.0 255.255.255.0
unset ge
unset le
next
end
next
end
config router route-map
edit "gcp_route_map"
config rule
edit 1
set match-ip-address "default_route"
next
end
next
end
Or after figuring this all out, you realize Google made a document for setting this all up already… groan…
Ask Mikey, He'll Eat Anything 