It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SecureEdge

How to Configure an IPsec IKEv2 Site-to-Site VPN to a Google Cloud VPN Gateway Using BGP

  • Last updated on

To connect to the Google Cloud VPN gateway, create an IPsec IKEv2 site-to-site VPN tunnel on your SecureEdge, and configure BGP to exchange information with the Google BGP peer.

se-gcp.png

Before You Begin

  • You will need the following information:
    • Public IP address of your SecureEdge Private Edge Service (on-premises)
    • (private) ASN number
  • Create a VPC network in Google Cloud.

Step 1. Create a Google Cloud Router

  1. Go to https://console.cloud.google.com.
  2. Click the hamburger menu in the upper-left corner.
    menu-gcp.png
  3. In the Networking  section, click Network Connectivity.
  4. In the left menu, click + Cloud Routers.
  5. In the main area, click CREATE ROUTER.
    click-createrouter.png
  6. Configure the settings for the Google Cloud router:
    • Name – Enter a name for the cloud router.
    • Network – Select the network from the list.
    • Region – Select the region from the list.
    • Google ASN – Enter a private ASN. This ASN number must be unique in your network.
    cloudrouter-creat.png
  7. Click Create.

clouderouter-page.png

Step 2. Create a Google VPN

  1. Go to https://console.cloud.google.com.
  2. Click the hamburger menu in the upper-left corner.
    menu-gcp.png
  3. In the Networking section, click Network Connectivity.
  4. In the left menu, click VPN.
  5. In the main area, click + VPN SETUP WIZARD.
    vpn setup wizard.png
  6. The Create a VPN page opens. Select High-availability (HA) VPN and click CONTINUE
    ha-vpn.png
  7. Configure the Create Cloud HA VPN gateway settings:
    • VPN gateway name – Enter a name. 
    • Network – Select your Google Cloud network from the list.
    • Region – Select the region for the Google VPN gateway. Select a location close to your on-premises SecureEdge appliance.
    • VPN gateway IP version – Select an HA VPN gateway IP version. Note that the IP version of the HA VPN gateway and the peer VPN gateway must be the same.
    • VPN gateway IP stack type – Select a stack type for the VPN gateway.
      ha-vpn1.png
  8. Click CREATE & CONTINUE.
  9. You can see that two external IP addresses are automatically allocated for each of your gateway interfaces. Make a note of the details of your gateway configuration for future use. 
    cloud-ha-vpn-gateway.png
  10. Configure a VPN tunnel in the Add VPN tunnels settings:
    • Peer VPN gateway – Select On-prem or Non Google Cloud.
    • Peer VPN gateway name – Select an existing peer VPN gateway from the drop-down menu or click Create a new peer VPN gateway. Note: This peer VPN gateway resource represents your remote peer gateway. Under Peer VPN gateway interfaces, you can select one, two, or four interfaces, depending on the type of interfaces your peer gateway has, and specify the external IP address used for that interface. E.g., 80.109.163.8.
    • High Availability – Select Create a single VPN tunnel. Note: A single tunnel does not provide high availability. However, you can add more tunnels later when needed.
      add-vpn-tunnel.png
    • Verify that the Routing Options display as Dynamic (BGP).
    • Cloud router – Select the cloud router created in Step 1.
    • Name – Enter the name.
    • IKE version – Select IKEv2
    • IKE pre-shared key – Enter either a passphrase as the shared secret, or click GENERATE AND COPY. Note: Make sure you record the pre-shared key in a secure location.

      vpn-tunnel.png

      The shared secret can consist of small and capital characters, numbers, and non-alpha-numeric symbols, except the hash sign (#).


  11. Click CREATE & CONTINUE.
  12. The Configure BGP sessions page opens.
  13. Click CONFIGURE BGP SESSION FOR <TUNNEL-CAMPUS> to configure BGP session.
    bgp-01.png
  14. The Create BGP session page opens. Configure the BGP session for the cloud router:
    • BGP session type – Select IPv4 BGP session.
    • Name – Enter a name for the BGP configuration.

    • Peer ASN – Enter the ASN assigned to the on-premises SecureEdge appliance.

    • (optional) Advertised route priority – Enter a priority value. Routes with higher priorities are preferred.

    • Allocate BGP IPv4 address  –  Select Manually.

      • Cloud Router BGP IPv4 address – Enter the first IP address in a private /30 subnet. The IP address must be in the same /30 network as the peer BGP IP address: E.g., 169.254.1.1
      • Peer BGP IPv4 address – Enter the second IP address in the private /30 subnet used for the Google BGP IP address. E.g., 169.254.1.2
        bgp-02.png
  15. Click SAVE AND CONTINUE. 
  16. Verify the BGP session you have configured and click SAVE BGP CONFIGURATION
    bgp-03.png
  17. The Summary and reminder page opens.
    bgp-04.png
  18. Click OK.

Wait for the VPN tunnel to be created.
vpn-campus-tunnel.png


Step 3. Configure an IPsec IKEv2 Site-to-Site VPN on the SecureEdge

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to configure the IPsec IKEv2 tunnel for.
  3. Go to Integration > IPsec VPN. The IPsec VPN page opens. To add a tunnel, click Add IPsec Tunnel.

  4. The Create IPsec Tunnel window opens. 
    • In the General tab, specify values for the following:
      • Enable – Click to enable.
      • Initiates – Click to enable.
    • In the GENERAL  INFORMATION section, specify values for the following: 
      • Name – Enter a unique tunnel name. E.g., SEtoGoogleVPNGateway
      • Description – Enter a brief description.
    • In the AUTHENTICATION section, specify values for the following: 
      • Authentication – Select Pre-shared key.
      • Shared Secret – Enter the Google IKE pre-shared key created in Step 2.
        create-tunnel.png

  5. Click Next.
  6. In the Source/Destination tab, specify values for the following:
    • Enable BGP – Click to enable.
    • In the SOURCE section, specify values for the following:
      • Type – Select Edge Service or Site.
      • Peer – Select peer. E.g.,  Austria, a Private Edge Service.
      • WAN Interface – Select Wan1. Note : Wan1 is a static WAN interface, and a Primary Address = 15.45.125.5 is selected. 
      • Local ID – Enter West-Europe-WAN1.
      • Network Addresses – Enter the peer BGP IP address from Step 2. E.g., 169.254.1.2/30
      • ASN – Enter 65200
        ipsec-01.png
    • In the DESTINATION section, specify values for the following:
      • Remote Gateway – Enter the gateway IP address of the Google Cloud VPN. E.g., 34.157.60.11
      • Remote ID – Enter the gateway IP Address of the Google Cloud VPN. E.g., 34.157.60.11
      • Network Address – Enter the Google VPN IP address. E.g., 169.254.1.1
      • ASN – Enter 64512
        ipsec-02.png
  7. Click Next.
  8. In the Phases tab, enter the Phase1 and Phase2 encryption settings:
    • PHASE 1 
      • Encryption – Select AES.
      • Hash – Select MD5.
      • DH-Group – Select Group 2.
      • Proposal Handling – Select Strict
      • Lifetime – Enter 28800
        phase1.png
    • PHASE 2 
      • Encryption – Select AES.
      • Hash – Select SHA.
      • DH-Group – Select Group 14.
      • Proposal Handling – Select Strict
      • Lifetime – Enter 3600
        phase2.png
  9. Click Next.
  10. In the Network tab, specify the values for the following:
    In the NETWORK SETTINGS section, specify the values for the following: 
    • Force UDP Encapsulation – Click to enable.  
    • IKE Reauthentication – Click to enable. 

    In the DEAD PEER DETECTION section, specify the values for the following: 
    • Action When Detected – Select Restart.
    • Delay – Enter 1800
      network.png
  11. Click Save.
  12. Verify that your IPsec tunnel configuration has been created successfully and click Finish.