Configuring a VPN to the Google Cloud
This document will cover how to connect to Google Cloud Platform using AOS devices. Computers on the local side of the connection will be able to use the VPN tunnel to reach the Google Cloud and communicate with remote servers set up there.
This configuration guide is applicable to ADTRAN AOS devices running the enhanced feature pack version of AOS, allowing for VPN connectivity. Only VPN connections using static routes can be implemented with this connection; dynamic routing protocols cannot be used with this tunnel.
The focus of this document is how to configure an AOS unit to establish a VPN connection to a Google Cloud account. Before beginning VPN configuration, the Google instance should already be configured. On the ADTRAN side, the VPN tunnel must be configured for main mode. This document will cover how to set up the VPN as it pertains to connecting to Google's Cloud. The guide Configuring a VPN using Main Mode can be referenced for more information on how to configure the ADTRAN.
1. Use the following settings to configure the Google side of the VPN. Google only allows AES-128 for encryption and SHA for the hash. By default Google selects IKEv2, so change that to IKEv1. The configuration will look as follows:
1. Before starting.
Google provides the same VPN requirements for every tunnel, aside from the peer, the Pre-Shared Key, and private networks that match the VPN selectors. The private network can be found on the Google side by going to Compute, then Compute Engine and look at Networks. The following configuration information can be used on the ADTRAN as it is, except where otherwise indicated.
Go to Data then to VPN peers. Create a new peer. Then configure it as follows.
b. The IKE settings are configured here. It will always be AES-128 and Sha with Diffie Hellman Group 2.
c. The local IP subnet is the used for the local network. In this example the router is configured with 192.168.8.0/24.
d. The Remote IP subnet is the network on the Google side. If there is any question of what this is go to Compute, then Compute Engine and look at Networks. It will show the addresses there. In this case the subnet is 10.240.0.0./16.
a. Here’s a sample configuration for command line. Just fill in the information for the Google connection where relevant.
crypto ike policy 105
local-id address 18.104.22.168
crypto ike remote-id any preshared-key xxxxxxxxxx ike-policy 105 crypto map VPN 10 no-mode-config no-xauth
ip crypto ipsec transform-set esp-aes-128-cbc-esp-sha-hmac esp-aes-128-cbc esp-sha-hmac
ip crypto map VPN 10 ipsec-ike
match address ip VPN-10-vpn-selectors
set peer 22.214.171.124
set transform-set esp-aes-128-cbc-esp-sha-hmac
set pfs group2
ip access-list extended VPN-10-vpn-selectors
permit ip 192.168.8.0 0.0.0.255 10.240.0.0 0.0.255.255
ip policy-class Private
allow list VPN-10-vpn-selectors stateless
ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless
Crypto map VPN will be put on the primary WAN interface.
Ping from within the ADTRAN to bring up the tunnel. The command to ping from within the ADTRAN is ping <private ip address on the Google instance> source <private ip address on the AOS device>. In the example configuration it might look like ping 10.240.88.83 source 192.168.8.1. This creates traffic to match the VPN selectors. If the ping to the Google instance succeeds then the VPN is connected.
There's no troubleshooting that can be done the Google side. Debug crypto ike neg on the ADTRAN side should tell how far the negotiation is getting.
For detailed instructions on troubleshooting the VPN check out our Guide to Main Mode VPN. There is a troubleshooting section at the end that has the steps to go through.