Configuring a VPN to the Google Cloud

Version 3

    Top-Logo-Google.png

    Configuring a VPN to the Google Cloud

     

    This document will cover how to connect to Google Cloud Platform using AOS devices.  Computers on the local side of the connection will be able to use the VPN tunnel to reach the Google Cloud and communicate with remote servers set up there.


    Hardware and Software Requirements and Limitations

    Deployment Considerations

    Google Configuration

    AOS Configuration

    Verification

    Troubleshooting


    Hardware and Software Requirements and Limitations

    This configuration guide is applicable to ADTRAN AOS devices running the enhanced feature pack version of AOS, allowing for VPN connectivity.  Only VPN connections using static routes can be implemented with this connection; dynamic routing protocols cannot be used with this tunnel.


    Deployment Considerations

    The focus of this document is how to configure an AOS unit to establish a VPN connection to a Google Cloud account.  Before beginning VPN configuration, the Google instance should already be configured.  On the ADTRAN side, the VPN tunnel must be configured for main mode. This document will cover how to set up the VPN as it pertains to connecting to Google's Cloud. The guide Configuring a VPN using Main Mode can be referenced for more information on how to configure the ADTRAN.


    Google Configuration

    1.  Use the following settings to configure the Google side of the VPN.  Google only allows AES-128 for encryption and SHA for the hash.  By default Google selects IKEv2, so change that to IKEv1.  The configuration will look as follows:

     

    Google-New.png

     

    AOS Configuration

    1. Before starting.

     

    Google provides the same VPN requirements for every tunnel, aside from the peer, the Pre-Shared Key, and private networks that match  the VPN selectors.  The private network can be found on the Google side by going to Compute, then Compute Engine and look at Networks.  The following configuration information can be used on the ADTRAN as it is, except where otherwise indicated.

     

    2. Configuration using the GUI

    Go to Data then to VPN peers. Create a new peer.  Then configure it as follows.

     

    Goog-Main.jpg

                b. The  IKE settings are configured here.  It will always be AES-128 and Sha with Diffie Hellman Group 2.

     

        IKE-Google.png

     

                c.  The local IP subnet is the used for the local network.  In this example the router is configured with 192.168.8.0/24.

     

    Source-Google.png

     

                d. The Remote IP subnet is the network on the Google side. If there is any question of what this is go to Compute, then Compute Engine and look at Networks.  It will show the addresses there.  In this case the subnet is 10.240.0.0./16.

     

    Destination-Google.png

     

    3. Configuration using the CLI

     

                a. Here’s a sample configuration for command line. Just fill in the information for the Google connection where relevant.

    crypto ike policy 105
    initiate main
    respond anymode
    local-id address 76.164.174.115
    peer 146.148.77.149
    attribute 3
    encryption aes-128-cbc
    authentication pre-share
    group 2
    !     
    crypto ike remote-id any preshared-key xxxxxxxxxx ike-policy 105 crypto map VPN 10 no-mode-config no-xauth
    !     
    !     
    ip crypto ipsec transform-set esp-aes-128-cbc-esp-sha-hmac esp-aes-128-cbc esp-sha-hmac
    mode tunnel
    !     
    ip crypto map VPN 10 ipsec-ike
    description GoogleDataCenter
    match address ip VPN-10-vpn-selectors
    set peer 146.148.77.149
    set transform-set esp-aes-128-cbc-esp-sha-hmac
    set pfs group2
    ike-policy 105

    ip access-list extended VPN-10-vpn-selectors
    permit ip 192.168.8.0 0.0.0.255  10.240.0.0 0.0.255.255

    ip policy-class Private
    allow list VPN-10-vpn-selectors stateless

    ip policy-class Public
    allow reverse list VPN-10-vpn-selectors stateless

     

    Crypto map VPN will be put on the primary WAN interface.

     

    Verification

    Ping from within the ADTRAN to bring up the tunnel.  The command to ping from within the ADTRAN is ping <private ip address on the Google instance> source <private ip address on the AOS device>.  In the example configuration it might look like ping 10.240.88.83 source 192.168.8.1.  This creates traffic to match the VPN selectors.  If the ping to the Google instance succeeds then the VPN is connected. 


    Troubleshooting

    There's no troubleshooting that can be done the Google side.  Debug crypto ike neg on the ADTRAN side should tell how far the negotiation is getting.

    For detailed instructions on troubleshooting the VPN check out our Guide to Main Mode VPN.  There is a troubleshooting section at the end that has the steps to go through.