Skip to main content
GCP VPN Gateway and Tunnel Setup

Help with VPN Gateway and Tunnel setup on GCP

Craig Medland avatar
Written by Craig Medland
Updated over a week ago

itopia offers a module to configure the VPN on Google Cloud Platform (GCP) for your deployments, where site-to-site VPN can easily be setup. 

Specifically, GCP supports IPsec VPN.  Learn more about the features/settings of GCP's VPN here.

NOTE:  VPN costs are isolated to GCP.  itopia doesn't charge for VPNs.  For more itopia pricing info, check details here.

Go to Cloud Manager sections and click on the + CREATE button in the top left corner to configure new VPN.

Populate the Name (e.g. vpn-1 or v1) and Description field and click on the + CREATE button to add a new tunnel:

You will get a screen to insert Remote peer IP address which would be your client’s public IP. You can only use static IPs.

IKE version: IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateways can manage. You can learn more here.

Shared secret: a unique key will be generated and should be copied for your records since you will not be able to retrieve it later.

Remote network IP ranges: The range, or ranges, of the peer network, which is the network on the other side of the tunnel from the Cloud VPN gateway you are currently configuring.

Local IP ranges: Specifies which IP ranges will be routed through the tunnel and the field is already populated for you according to your Internal IP subnet.

The rest of the configuration may vary, below is an example of edge router CLI output (IKEv1): 

vpn {

ipsec {

auto-firewall-nat-exclude disable

esp-group FOO0 {

proposal 1 {

encryption aes128

hash sha1



ike-group FOO0 {

proposal 1 {

dh-group 2

encryption aes128

hash sha1



site-to-site {

peer {

authentication {

mode pre-shared-secret

pre-shared-secret ****************


connection-type initiate

description "CAPCOM test vpn"

ike-group FOO0


tunnel 1 {

esp-group FOO0

local {


remote {






IKEv2 Phase 1 and 2 settings below:

IKE (Phase 1) Proposal

Exhange - IKEv2

DH Group: Group 2

Encryption: AES-128

Auth: SHA1

28800 Lifetime

IPSEc Phase 2

Protocol - ESP

Encryption - AES-128

Auth- SHA1

Lifetime: 28800

Once saved, it can take from 5 to 15 minutes for the VPN tunnel to get created. In the meantime, the VPN will appear as "Pending update" in itopia CAS.

Note1: The process does not open up any firewall rules between your on-prem network and the Google Cloud network. To manage firewall rules, follow our VPN guide for Firewall rules.

Note2: When deleting a deployment, our system will delete all the VPNs inside the related GCP project that were created by CAS (those that have a name starting with "VPN-clientcode"). VPNs created in CAS prior to 7/26/2019 will need to be deleted manually when deleting the deployment/ project.

Additional resources:

Did this answer your question?