itopia offers you a module to configure the VPN for your deployments, you can easily setup site to site VPN. 

When it comes to limitations, Google supports IPsec VPN. Learn more about the features/settings that are compatible for the Google vpn here.

Go to Cloud Manager sections and click on the green + sign in the top right corner to configure new VPN

Populate the Name (e.g. vpn-1 or v1) and Description field and click on the green + sign to add a new tunnel:

You will get a screen to insert Remote peer IP address which would be your client’s public IP. You can only use static IPs.

IKE version: IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage. You can learn more here.

Shared secret: a unique key will be generated and should be copied for your records since you will not be able to retrieve it later.

Remote network IP ranges: The range, or ranges, of the peer network, which is the network on the other side of the tunnel from the Cloud VPN gateway you are currently configuring

Local IP ranges: Specifies which IP ranges will be routed through the tunnel and the field is already populated for you according to your Internal IP subnet

The rest of the configuration may vary, below is an example of edge router CLI output (IKEv1): 

vpn {

ipsec {

auto-firewall-nat-exclude disable

esp-group FOO0 {

proposal 1 {

encryption aes128

hash sha1

}

}

ike-group FOO0 {

proposal 1 {

dh-group 2

encryption aes128

hash sha1

}

}

site-to-site {

peer xxx.xxx.xxx.xxx {

authentication {

mode pre-shared-secret

pre-shared-secret ****************

}

connection-type initiate

description "CAPCOM test vpn"

ike-group FOO0

local-address xxx.xxx.xxx.xxx

tunnel 1 {

esp-group FOO0

local {

prefix xxx.xxx.x.x/xx

}

remote {

prefix xxx.xxx.x.x/xx

}

}

}

}

}


IKEv2 Phase 1 and 2 settings below:


IKE (Phase 1) Proposal

Exhange - IKEv2

DH Group: Group 2

Encryption: AES-128

Auth: SHA1

28800 Lifetime

IPSEc Phase 2

Protocol - ESP

Encryption - AES-128

Auth- SHA1

Lifetime: 28800


Once saved, it can take from 5 to 15 minutes for the VPN tunnel to get created. In the meantime the VPN will appear as "Pending update" in itopia CAS.

Note: The process does not open up any firewall rules between your on-prem network and the Google Cloud network. To manage firewall rules, follow our VPN guide for Firewall rules.

Additional resources:

https://cloud.google.com/vpn/docs/how-to/logging?hl=vi

https://cloud.google.com/vpn/docs/resources/troubleshooting

Did this answer your question?