Cato Networks Knowledge Base

Setting Up Redundant VPN Tunnels to Google Cloud Platform (GCP)

  • Updated

GCP recently released a new HA option for VPN gateway. If redundant VPN gateway is chosen, it provides two IP addresses for maximum resiliency. BGP activation is required to monitor which tunnel is active. 

This is Cato's recommendation for the most resilient connection to GCP. 

Step 1
In the Cato Management Application, navigate to Configuration > Global Settings < IP Allocation. In the Select locations box, use the drop-down menu to select a different PoP location than the one that already exists. The IP that is allocated will appear on the right side. Take note of the IP address - you'll need to enter it in the GCP configuration.

mceclip0.png

Step 2

In GCP, navigate to the Hybrid Connectivity → VPN → Cloud VPN GatewayCreate a new VPN gateway:
mceclip1.png

Now fill in the details:

  • Name - Identifiable name for the Gateway
  • VPC Network - This is your VPC
  • Region - The Geographical Region you want the gateway creating in 

Pay attention that it will create two IP addresses as stated:
mceclip3.png

Step 3

Navigate to Peer VPN Gateways and create a new VPN gateway. Make sure to select two interfaces under Interfaces section.

mceclip4.png

  • Interface 0 IP address: type in the IP of the primary PoP IP (step 1)
  • Interface 1 IP address: type in the IP of the backup PoP IP (step 1)

 

Step 4

Now you must create a Cloud Router that will manage BGP peering. BGP is required for prioritizing which tunnel is active and which is backup.

Go to Hybrid Connectivity → Cloud Routers and create a new Router.

For Google ASN use private ASN value (RFC 1918): 64512 to 65535.

Step 5

Go back to VPN section and choose Cloud VPN Gateway. Click the recently created VPN gateway and choose Add VPN tunnel. Under peer VPN gateway choose VPN peer (Cato PoPs) and make sure Create a pair of VPN tunnels is selected under High Availability. In Cloud Router choose the recently created Cloud Router.

Now, at the bottom, it forces you to edit two VPN tunnels. Click on each one of them and enter the details:

mceclip5.png

Fill the name for each tunnel (master/ backup) and choose a pre-shared key.

Once complete, the wizard will prompt for BGP configuration. For each tunnel configure the relevant BGP settings:

  • Name - just a name for the BGP peering
  • Peer ASN - BGP ASN you would like to assign to Cato side
  • MED - 100 for primary tunnel and 110 for backup
  • Cloud Router BGP IP - Router IP on GCP side
    • Must belong to the same /30 CIDR within 169.254.0.0/16
    • Can't use the broadcast or network IP addresses on those /30 networks
  • BGP Peer IP - Router IP on Cato side

Step 6

Go back to the Cato Management Application and create IPsec IKEv2 site type. Use the following site configuration:

IPsec IKEv2 Section

  • Service Type: choose Generic. 
  • Primary/ Secondary Source (Egress) IP: select the IP address allocated in step 1.
  • Primary/ Secondary Destination IP: enter the Cloud VPN Gateway IP addresses from the GCP.
  • Set/Change Primary/ Secondary Password: Enter the Pre-Shared Key that you specified for each tunnel.

BGP

  • Create two BGP peers for Master and Backup. 
  • Neighbor ASN and IPs as configured in GCP.
  • Metrics: for master, BGP specify 100 and for the backup 110.
  • Hold Time and Keepalive intervals can be changed to 30 and 10 respectively for faster convergence.
  • Routing - do not Accept any routes from GCP. Subnets behind GCP should be configured in Networks section just like with regular Cato sites. For advertising, you can choose between Default Route (one 0.0.0.0/0 route - WAN + Internet over Cato) and All Routes (all networks in your Cato account will be advertised to GCP - WAN traffic only).

Step 7

Shortly after saving the configuration in the Cato Management Application, you should see Established status for BGP and VPN of the two tunnels under Cloud VPN Tunnels in GCP:
mceclip7.png

Was this article helpful?

5 out of 5 found this helpful

Comments

0 comments

Please sign in to leave a comment.