Configure Tunnels with Google Cloud Platform IPsec
Google Cloud Platform (GCP) offers multiple edge device options that are capable of setting up an IPsec tunnel between GCP Virtual Private Cloud (VPC) and Cisco Umbrella. This document focuses on the GCP Cloud VPN and Cisco Cloud Services Router (CSR) 1000V options.
Table of Contents
Google Cloud Platform (GCP) VPN
GCP Cloud VPN supports two VPN options, a classic VPN where a single tunnel to the remote peer is configured, and a high-availability option where two tunnels are configured. One acts as an active tunnel and the other as a standby. Because the high-availability option requires BGP peering with remote peers, this option is currently not supported by Umbrella. Currently, only a classic VPN configuration is supported.
Configure GCP
Configure Google Cloud VPN tunnels.
- Navigate to Networking > Hybrid Connectivity > VPN and click Create VPN Connection.
Note: If you already have a network gateway deployed, add another tunnel to the gateway.
- Select Classic VPN and click Continue.
- Under Google Compute VPN gateway, give your gateway a meaningful name. Then select your Network, Region, and IP Address.
Note: Because GCP Cloud VPN does not support IKEv2 FQDN, the public IP address is used as the IKE identity.
- In the Tunnels section, give your tunnel a meaningful name and add an Umbrella datacenter for the Remote peer IP address. Choose IKEv2 from the IKE Version drop-down and enter a pre-shared key.
- For Routing Options, select Route-Based , type 0.0.0.0/0 (any) as remote subnet, and click Done.
- Navigate to Networking > Hybrid Connectivity > VPN > Cloud VPN Gateways and note the public IP address. This IP address is used to add the tunnel in Umbrella.
Route Traffic to the Google Cloud VPN Tunnel
- Navigate to Networking > VPC Network > Routes and click Create Route.
- Give your route a meaningful name and select the network the route will be applied to. Add the remote network (0.0.0.0/0 – any) for the destination IP range and change the priority to lower than 1000 to take precedence over GCP default route configuration.
- Choose Specify VPN Tunnel in the Next Hop drop-down, choose the newly created tunnel in the VPN Tunnel drop-down, and then click Create.
The new route is listed in the routing table.
Note: The tunnel still needs to be created in the Umbrella dashboard; however, traffic will be sent through Umbrella.
Add the GCP Cloud VPN Gateway to Umbrella
GCP VPN authenticates to Umbrella IPsec headend through Pre-Shared Key – PSK and IKEv2 IP identity.
- In Umbrella, navigate to Deployments > Core Identities > Network Tunnels and click Add. You need the public IP address of the GCP Cloud VPN Gateway (in GCP, Networking > Hybrid Connectivity > VPN > Cloud VPN Gateways).
- Provide a meaningful name to the network and choose Other for Device Type.
- Select IP Address/Network as the Authentication Method. Under tunnel ID, type the GCP Cloud VPN Gateway network identity (GCP VPN Gateway public IP address), provide a pre-shared key between 16 and 64 characters (the one used in GCP VPN configuration) and click Save.
Note: The tunnel is listed as Not Established until the first IKEv2 INIT message containing the tunnel identity is seen in one of the Umbrella data centers.
Acquire GCP VPN Logs
GCP provides all IKE session logs. These logs can be used to troubleshoot tunnel establishment issues.
- Navigate to Networking > Hybrid Connectivity > VPN > Cloud VPN Tunnels and click the tunnel name.
- From the Details tab, click View Logs.
Cisco Cloud Services Router (CSR) 1000V
The Cisco Cloud Services Router – CSR1000V is the preferred option for GCP deploys. This virtual router runs Cisco’s IOS-XE software, a features rich routing and security virtual appliance. Some key capabilities include multiple tunnel support for higher throughout (Equal-cost Multi-path routing support) and policy routing (ability to route specific traffic to the tunnel based on source and destination IP/Port/Protocol).
Deploy the Cisco Cloud Services Router (CSR) 1000V
There are a few software CSR1000V software versions available in GCP marketplace.
- Navigate to GCP Marketplace, search for CSR1000V, select the required software option, and then click Launch.
Note: GCP currently only allows SSH key authentication, local user can be configured after deployment in CSR1000V command line interface. To deploy you will need a RSA private/public key pair. SSH Keygen can be user to generate this key pair (ssh-keygen -t rsa -f /FILE_PATH/gcp-key -C labadmin
).
- In the instance configuration page, provide a meaningful name, username, SSH public key, and select a zone.
- Under Machine type, select a machine family, series, and machine type.
Umbrella supports n1-standard-2, n1-standard-4 and n1-standard-8 machine types.
- Under Networking, select the VPC and subnet for the internet facing interface (GigabitEthernet1), enter a public IP (both static and ephemeral are supported), and check off the appropriate firewall rules.
- Add an additional network interfaces, accept the terms and click Deploy.
Route Traffic to the CSR1000V Tunnel
Update the VPC route table to send traffic to Umbrella tunnel.
- Navigate to Networking > VPC Networks > Routes and click Create Route.
- Provide a name, select the network (VPC) the route will apply to, enter a destination range 0.0.0.0/0 (any), and change the priority to lower than 1000.
- Choose Specify an instance in the Next hop drop-down, choose the CSR1000V instance as the Next hop instance and click Create.
The new route will show up in the routing table.
Create Firewall Rules for the CSR1000V Tunnel
GCP applies firewall rules at the virtual instance level so two firewall rules need to be created: one that allow all traffic from the virtual network going outside (egress) and another permitting from the virtual network to the CSR1000V router (ingress).
Configure CSR1000V as a Single Tunnel
For single tunnel configuration, the tunnel can be sourced from the internet facing interface (GigabitEthernet1) as only one IKE over UDP session will exist from router IP address to Umbrella datacenter.
Use your preferred command-line application for the following steps:
- Create a Virtual Routing and Forwarding – VRF instance to segment the global routing table (internet facing interface) from the inside routing table (GCP virtual subnet facing interfaces).
!
vrf definition INSIDE
description *** INSIDE INTERFACES ***
!
address-family ipv4
exit-address-family
!
Both inside and outside interfaces can remain configured for DHCP IP address assignment. The inside interface should be added to the INSIDE VRF.
!
interface GigabitEthernet1
description **** OUTSIDE ****
ip address dhcp
!
interface GigabitEthernet2
description **** INSIDE ****
vrf forwarding INSIDE
ip address dhcp
- Add an IKEv2 profile, an IPsec profile, and a IKEv2 proposal (new or change default), and transform-set. The tunnel identity and Pre-Shared Key should be created in Umbrella in advance in Deployments > Core Identities > Network Tunnels.
For more information about Umbrella supported IKEv2 and IPsec parameters, see Supported IPsec Parameters.
!
! *** IKEv2 ciphers ***
!
crypto ikev2 proposal default
encryption aes-gcm-256
integrity sha512 sha384 sha256 sha1
group 19 20
!
!
! *** IKEv2 authentication parameters (tunnel identity and PSK) ***
!
crypto ikev2 profile UMB_IKE_PROFILE_T1
match identity remote address 146.112.0.0 255.255.0.0
identity local email [email protected]
authentication remote pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentication local pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dpd 10 2 periodic
!
!
! *** Maximum IKEv2 packet size to avoid fragmentation in the path ***
!
crypto ikev2 fragmentation mtu 1280
!
!
! *** IPSec ciphers ***
!
crypto ipsec transform-set UMB_IPSEC_TRANSFORM_SET esp-gcm 256
!
!
! *** IPsec profile linking transform-set and IKEv2 profile, assigned to the tunnel interface ***
!
crypto ipsec profile UMB_IPSEC_PROFILE_T1
set transform-set UMB_IPSEC_TRANSFORM_SET
set ikev2-profile UMB_IKE_PROFILE_T1
- Configure the virtual tunnel interface.
!
! *** Tunnel interface in the INSIDE VRF, sourced from G1 interface and protected by IPsec profile ***
!
interface Tunnel1
vrf forwarding INSIDE
ip unnumbered GigabitEthernet1
!
! * TCP Adjust-MSS intercepts TCP handshake and changes MTU to 1280 to avoid fragmentation *
ip tcp adjust-mss 1280
!
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 146.112.83.8
tunnel protection ipsec profile UMB_IPSEC_PROFILE_T1
!
!
- Route the traffic to the Umbrella tunnel through one of the following two options:
- Create a static route that is added to the inside VRF and sends all traffic to the tunnel. Global VRF default route will not overlap as the routes are in different VRFs (different routing tables).
!
ip route vrf INSIDE 0.0.0.0 0.0.0.0 Tunnel1
!
- Use the policy routing to send the traffic to Umbrella. This option allows more granular control as to what should be sent through the tunnel or direct internet access (DIA). Policy routing uses an access list to match the traffic that will be routed and then a route-map to set the tunnel as next hope.
!
! *** Sample Access List with few possible match statements, can use one or many of these entries ***
!
ip access-list extended TRAFFIC_TO_UMB
10 permit ip host 172.16.10.103 any
20 permit ip any any
30 permit tcp any any eq www
!
!
! *** Route-map matching the access list and setting the tunnel as next-hop ***
!
route-map ROUTE_TO_UMBRELLA permit 10
match ip address TRAFFIC_TO_UMB
set interface Tunnel1
!
!
! *** Route-map assigned to inside interface ***
!
interface GigabitEthernet2
description **** INSIDE ****
ip policy route-map ROUTE_TO_UMBRELLA
!
Use Multiple Tunnels with CSR1000V
Single tunnel deployment limits the maximum throughout to the throughput of one tunnel (currently 250Mbps per direction). For higher throughput, multiple tunnels should be added and Equal-Cost Multi-Path routing used to distribute the connections among the available tunnels (load sharing).
Cisco Express Forwarding
Each connection should always go through the same tunnels. Umbrella tunnels are part of a service chain. Thus, single packet load balancing is not supported. Instead, Umbrella supports single connection load sharing. Single connection load sharing is achieved by using Cisco Express Forwarding – CEF universal algorithm (default algorithm in Cisco devices). The universal algorithm creates a hash of source and destination IP and port and sends each connection to the same next-hop. For more information, see Load-Balancing Algorithms.
In multiple tunnels deployment each tunnel should be sourced from a different interface and NATed to the outside interface. Umbrella forces NAT transversal so not only IKE connection is over UDP but also ESP is encapsulated in UDP and both IKE and ESP uses source and destination port UDP 4500. The issue is when the router creates multiple tunnels to the same destination address (same Umbrella data center). The router does not use a different source port, so all tunnels must have the same source IP/Port (for example. 1.2.3.4:4500) and destination IP/Port (for example, 146.112.83.8:4500). The router will only be able to bring one tunnel up as connection information will be exactly the same (all tunnels from 1.2.3.4:4500 to 146.112.83.8:4500) so the router does not know what tunnel the traffic belongs to.
To address this limitation, each tunnel should be sourced from a different loopback interface and then traffic from loopback interface should be NATed (NAT PAT or NAT Overload) to the outside interface. After the NAT process, each tunnel will have a different source port so the router can use the source port to direct the traffic to the right tunnel (tunnel1 from 1.2.3.4:11111 to 146.112.83.8:4500 / tunnel2 from 1.2.3.4:22222 to 146.112.83.8:4500 and so on). For example, NAT from 10.0.0.0/24 (all loopback interfaces) to the outside interface address (1.2.3.4) overload (NAT PAT).
Multiple tunnel configuration is similar to single. Use your preferred command-line application for the following steps:
- Add a internal VRF.
!
vrf definition INSIDE
description *** INSIDE INTERFACES ***
!
address-family ipv4
exit-address-family
!
- Configure interfaces and tunnel source interfaces (loopback) NAT.
!
! *** One lookback per tunnel ***
!
interface Loopback1
ip address 192.168.0.1 255.255.255.255
ip nat inside
!
interface Loopback2
ip address 192.168.0.2 255.255.255.255
ip nat inside
!
interface Loopback3
ip address 192.168.0.3 255.255.255.255
ip nat inside
!
interface Loopback4
ip address 192.168.0.4 255.255.255.255
ip nat inside
!
!
! *** GigabitEthernet1 Internet facing interface with NAT outside configuration (lookback traffic
! NATed to this interface) ***
!
interface GigabitEthernet1
description **** OUTSIDE ****
ip address dhcp
ip nat outside
!
!
! *** Inside interface ***
!
interface GigabitEthernet2
description **** INSIDE ****
vrf forwarding INSIDE
ip address dhcp
!
!
! *** Access list matching lookback addresses, used in NAT statement ***
!
ip access-list standard TUNNEL_SOURCES
10 permit 192.168.0.0 0.0.0.255
!
!
! ** NAT traffic from loopback to outside interface address ***
!
ip nat inside source list TUNNEL_SOURCES interface GigabitEthernet1 overload
!
!
- Add the IKEv2 cipher (can change existing proposal or add new) and one IKEv2 and IPsec profile per tunnel as each tunnel will have a different IKEv2 identity (different tunnels in Umbrella dashboard).
!
! *** IKEv2 ciphers ***
!
crypto ikev2 proposal default
encryption aes-gcm-256
integrity sha512 sha384 sha256 sha1
group 19 20
!
!
! *** One IKEv2 profile per tunnel with tunnel identity created in Umbrella dashboard ***
!
crypto ikev2 profile UMB_IKE_PROFILE_T1
match identity remote address 146.112.0.0 255.255.0.0
identity local email [email protected]
authentication remote pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentication local pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dpd 10 2 periodic
!
!
crypto ikev2 profile UMB_IKE_PROFILE_T2
match identity remote address 146.112.0.0 255.255.0.0
identity local email [email protected]
authentication remote pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentication local pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dpd 10 2 periodic
!
crypto ikev2 profile UMB_IKE_PROFILE_T3
match identity remote address 146.112.0.0 255.255.0.0
identity local email [email protected]
authentication remote pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentication local pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dpd 10 2 periodic
!
crypto ikev2 profile UMB_IKE_PROFILE_T4
match identity remote address 146.112.0.0 255.255.0.0
identity local email [email protected]
authentication remote pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentication local pre-share key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dpd 10 2 periodic
!
!
! *** Maximum IKEv2 packet size to avoid fragmentation in the path ***
!
crypto ikev2 fragmentation mtu 1280
!
!
! *** IPsec ciphers ***
!
crypto ipsec transform-set UMB_IPSEC_TRANSFORM_SET esp-gcm 256
!
!
! *** One IPsec profile per tunnel linking each IKEv2 profile to the transform-set ***
!
crypto ipsec profile UMB_IPSEC_PROFILE_T1
set transform-set UMB_IPSEC_TRANSFORM_SET
set ikev2-profile UMB_IKE_PROFILE_T1
!
crypto ipsec profile UMB_IPSEC_PROFILE_T2
set transform-set UMB_IPSEC_TRANSFORM_SET
set ikev2-profile UMB_IKE_PROFILE_T2
!
crypto ipsec profile UMB_IPSEC_PROFILE_T3
set transform-set UMB_IPSEC_TRANSFORM_SET
set ikev2-profile UMB_IKE_PROFILE_T3
!
crypto ipsec profile UMB_IPSEC_PROFILE_T4
set transform-set UMB_IPSEC_TRANSFORM_SET
set ikev2-profile UMB_IKE_PROFILE_T4
- Configure multiple tunnel interfaces sourced from different loopback interfaces and protected by different IPsec profiles.
Note: All tunnels should go to the same Umbrella data center. ECMP load sharing to different Umbrella data centers is not supported.
!
interface Tunnel1
vrf forwarding INSIDE
ip unnumbered Loopback1
ip tcp adjust-mss 1280
tunnel source Loopback1
tunnel mode ipsec ipv4
tunnel destination 146.112.83.8
tunnel protection ipsec profile UMB_IPSEC_PROFILE_T1
!
interface Tunnel2
vrf forwarding INSIDE
ip unnumbered Loopback2
ip tcp adjust-mss 1280
tunnel source Loopback2
tunnel mode ipsec ipv4
tunnel destination 146.112.83.8
tunnel protection ipsec profile UMB_IPSEC_PROFILE_T2
!
interface Tunnel3
vrf forwarding INSIDE
ip unnumbered Loopback3
ip tcp adjust-mss 1280
tunnel source Loopback3
tunnel mode ipsec ipv4
tunnel destination 146.112.83.8
tunnel protection ipsec profile UMB_IPSEC_PROFILE_T3
!
interface Tunnel4
vrf forwarding INSIDE
ip unnumbered Loopback4
ip tcp adjust-mss 1280
tunnel source Loopback4
tunnel mode ipsec ipv4
tunnel destination 146.112.83.8
tunnel protection ipsec profile UMB_IPSEC_PROFILE_T4
!
- Route the traffic to the Umbrella tunnel through one of the following two options:
- Create multiple static route entries pointing to the different tunnels.
!
ip route vrf INSIDE 0.0.0.0 0.0.0.0 Tunnel1
ip route vrf INSIDE 0.0.0.0 0.0.0.0 Tunnel2
ip route vrf INSIDE 0.0.0.0 0.0.0.0 Tunnel3
ip route vrf INSIDE 0.0.0.0 0.0.0.0 Tunnel4
- Use the policy routing to send the traffic to Umbrella.
Policy routing is slightly different from single tunnel. As in single tunnel, we can match the traffic (match ACL) and set the tunnel as next-hop. In a multi-tunnel deployment. It is not possible to set interface as next-hop. Route-map accepts setting multiple interfaces (set interface Tunnel1 Tunnel2 Tunnel3 Tunnel4), but this does not provide load sharing. It only provides high availability (if interface Tunnel1 is down then use Tunnel2, if Tunnel 1 and 2 is down then use Tunnel 3 and so on). For ECMP, set a fake IP address. Configure static routes to the fake address over all tunnels and use the recursive next-hop in the route-map to set a “remote” next-hop. To find the path to this fake address, the router looks at the routing table.
Four static routes to 10.255.255.255 address one per tunnel interface and route-map setting next-hop 10.255.255.255 fake address.
!
! *** Sample Access List with few possible match statements ***
!
ip access-list extended TRAFFIC_TO_UMB
10 permit ip host 172.16.10.103 any
20 permit ip any any
30 permit tcp any any eq www
!
!
! *** Route-map matching the access list and setting 10.255.255.255 as recursive next-hop ***
!
route-map ROUTE_TO_UMBRELLA permit 10
match ip address TRAFFIC_TO_UMB
set ip next-hop recursive 10.255.255.255
!
! *** To get to 10.255.255.255 the traffic is load shared across the 4 tunnels (CEF) ***
!
ip route vrf INSIDE 10.255.255.255 255.255.255.255 Tunnel1
ip route vrf INSIDE 10.255.255.255 255.255.255.255 Tunnel2
ip route vrf INSIDE 10.255.255.255 255.255.255.255 Tunnel3
ip route vrf INSIDE 10.255.255.255 255.255.255.255 Tunnel4
!
!
! *** Route-map assigned to inside interface ***
!
interface GigabitEthernet2
description **** INSIDE ****
vrf forwarding INSIDE
ip policy route-map ROUTE_TO_UMBRELLA
!
Configure CSR1000V with Umbrella
IOS-XE devices (including CSR1000V) authenticate to Umbrella IPsec headend using a pre-shared key (PSK) and IKEv2 FQDN identity.
- Navigate to Deployments > Core Identities > Network Tunnels and click Add.
- Provide a tunnel name, select ISR as the device type and click Save.
- Under tunnel ID, type a unique tunnel identity (not yet in use by other tunnels), provide a pre-shared key between 16 and 64 characters (the one to be used in CSR1000V VPN configuration) and click Save.
Note: The tunnel lists as “Not Established" until the first IKEv2 INIT message containing the tunnel identity is seen in one of the Umbrella data centers.
For Equal-cost multi-path routing – ECMP (traffic load sharing across multiple tunnels), repeat the steps above and create as many tunnels as the number of tunnels configured in the CSR1000V.
Troubleshoot CSR1000V VPN
- Use the command
show ip interface brief
to confirm the tunnel is up. - If the status is down, the tunnel is shutdown. Navigate to the tunnel interface and enter the command
no shutdown
. - If protocol is down, it means the IKEv2 session failed to negotiate. For more information about troubleshooting the IKE session, see IOS IKEv2 Debugs for Site-to-Site VPN with PSKs Troubleshooting TechNote.
Router-01#show ip interface brief
The output is similar to:
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.0.0.4 YES DHCP up up
GigabitEthernet2 10.0.1.5 YES manual up up
Loopback1 192.168.0.1 YES manual up up
Loopback2 192.168.0.2 YES manual up up
Loopback3 192.168.0.3 YES manual up up
Loopback4 192.168.0.4 YES manual up up
Tunnel1 192.168.0.1 YES TFTP up up
Tunnel2 192.168.0.2 YES TFTP up up
Tunnel3 192.168.0.3 YES TFTP up up
Tunnel4 192.168.0.4 YES TFTP up up
VirtualPortGroup0 192.168.35.101 YES NVRAM up up
Other Resources
GCP Cloud VPN Configuration
Umbrella Cloud Firewall
Cisco Cloud Services Router (CSR) 1000V
- Cisco CSR 1000v Deployment Guide for Microsoft Azure
- IOS IKEv2 Debugs for Site-to-Site VPN with PSKs Troubleshooting TechNote
Configure Tunnels with Oracle Cloud IPsec < Configure Tunnels with Google Cloud Platform IPsec > Configure Tunnels with Sophos XG IPsec
Updated about 1 year ago