cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring a VPN to the Google Cloud

Configuring a VPN to the Google Cloud

Top-Logo-Google.png

Configuring a VPN to the Google Cloud

This document will cover how to connect to Google Cloud Platform using AOS devices.  Computers on the local side of the connection will be able to use the VPN tunnel to reach the Google Cloud and communicate with remote servers set up there.


Hardware and Software Requirements and Limitations

Deployment Considerations

Google Configuration

AOS Configuration

Verification

Troubleshooting


Hardware and Software Requirements and Limitations

This configuration guide is applicable to ADTRAN AOS devices running the enhanced feature pack version of AOS, allowing for VPN connectivity.  Only VPN connections using static routes can be implemented with this connection; dynamic routing protocols cannot be used with this tunnel.


Deployment Considerations

The focus of this document is how to configure an AOS unit to establish a VPN connection to a Google Cloud account.  Before beginning VPN configuration, the Google instance should already be configured.  On the ADTRAN side, the VPN tunnel must be configured for main mode. This document will cover how to set up the VPN as it pertains to connecting to Google's Cloud. The guide Configuring a VPN using Main Mode can be referenced for more information on how to configure the ADTRAN.


Google Configuration

1.  Use the following settings to configure the Google side of the VPN.  Google only allows AES-128 for encryption and SHA for the hash.  By default Google selects IKEv2, so change that to IKEv1.  The configuration will look as follows:

Google-New.png

AOS Configuration

1. Before starting.

Google provides the same VPN requirements for every tunnel, aside from the peer, the Pre-Shared Key, and private networks that match  the VPN selectors.  The private network can be found on the Google side by going to Compute, then Compute Engine and look at Networks.  The following configuration information can be used on the ADTRAN as it is, except where otherwise indicated.

2. Configuration using the GUI

Go to Data then to VPN peers. Create a new peer.  Then configure it as follows.

Goog-Main.jpg

            b. The  IKE settings are configured here.  It will always be AES-128 and Sha with Diffie Hellman Group 2.

    IKE-Google.png

            c.  The local IP subnet is the used for the local network.  In this example the router is configured with 192.168.8.0/24.

Source-Google.png

            d. The Remote IP subnet is the network on the Google side. If there is any question of what this is go to Compute, then Compute Engine and look at Networks.  It will show the addresses there.  In this case the subnet is 10.240.0.0./16.

Destination-Google.png

3. Configuration using the CLI

            a. Here’s a sample configuration for command line. Just fill in the information for the Google connection where relevant.


crypto ike policy 105
initiate main
respond anymode
local-id address 76.164.174.115
peer 146.148.77.149
attribute 3
encryption aes-128-cbc
authentication pre-share
group 2
!     
crypto ike remote-id any preshared-key xxxxxxxxxx ike-policy 105 crypto map VPN 10 no-mode-config no-xauth
!     
!     
ip crypto ipsec transform-set esp-aes-128-cbc-esp-sha-hmac esp-aes-128-cbc esp-sha-hmac
mode tunnel
!     
ip crypto map VPN 10 ipsec-ike
description GoogleDataCenter
match address ip VPN-10-vpn-selectors
set peer 146.148.77.149
set transform-set esp-aes-128-cbc-esp-sha-hmac
set pfs group2
ike-policy 105


ip access-list extended VPN-10-vpn-selectors
permit ip 192.168.8.0 0.0.0.255  10.240.0.0 0.0.255.255


ip policy-class Private
allow list VPN-10-vpn-selectors stateless


ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless



Crypto map VPN will be put on the primary WAN interface.












Verification

Ping from within the ADTRAN to bring up the tunnel.  The command to ping from within the ADTRAN is ping <private ip address on the Google instance> source <private ip address on the AOS device>.  In the example configuration it might look like ping 10.240.88.83 source 192.168.8.1.  This creates traffic to match the VPN selectors.  If the ping to the Google instance succeeds then the VPN is connected. 


Troubleshooting

There's no troubleshooting that can be done the Google side.  Debug crypto ike neg on the ADTRAN side should tell how far the negotiation is getting.

For detailed instructions on troubleshooting the VPN check out our Guide to Main Mode VPN.  There is a troubleshooting section at the end that has the steps to go through.

Version history
Last update:
‎07-10-2015 01:53 PM
Updated by:
Anonymous
Contributors