Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routed IPSec (VTI) and Google Cloud

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tman222
      last edited by

      Hi all,

      I was able to successfully setup a IPSec Policy based VPN tunnel between my pfSense box and Google Cloud (GCP) today using Google's Cloud VPN:

      https://cloud.google.com/vpn/docs/

      Tonight I tried to see whether I could get Routed IPSec to work since pfSense now supports it in 2.4.4 and Google supports creating route based VPN's:

      https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html
      https://cloud.google.com/vpn/docs/how-to/creating-route-based-vpns

      However, I'm not quite sure how to set this up properly to get it to work. Where I'm stuck in particular is how to create the transit network. It seems I can't just arbitrarily pick a unused local subnet, it needs to be the same and supported on both sides (local and destination). In fact, I tried this at first, e.g. picking a somewhat arbitrary subnet like 192.168.77.1/30 and 192.166.77.2 for the Phase 2 parameters of routed IPSec. However, I was never able to pass any traffic to the Google compute instances unless first setup a static route using the 192.168.77.2 Gateway to the subnet the compute instances reside on. I also had to setup routes on the Google side for the compute instances to communicate with machines on subnets behind my pfSense box. All the while 192.167.77.2 as a gateway was not pingable.

      My guess, is all this work isn't necessary if things are setup properly :). However, all I have to work with on the Google side is the VPC network for the compute instances, e.g. let's say that network 10.1.0.0/20. Does anyone have any idea how to properly setup a transit network with GCP? Do I need to setup a separate VPC network or leverage the 10.1.0.0/20 network somehow? Or, is it not possible to setup at this time?

      Thanks in advance for any insight you can provide, I really appreciate it.

      1 Reply Last reply Reply Quote 0
      • T
        tman222
        last edited by

        Well, I tried this morning to get dynamic routing to work using the pfSense OpenBGPD package and by setting up a GCP cloud router attached to the VPN endpoint on the GCP side. This also was a success and traffic an pass without any issues. I just adapted steps from this guide to work with GCP instead of AWS:

        http://www.1strategy.com/blog/2017/08/29/tutorial-using-pfsense-as-a-vpn-to-your-vpc/

        It would still be great if I could still get routed IPSec (VTI) to work somehow, but otherwise I'll stick with dynamic routing for now since it's a better option than using a policy based VPN or just static routing.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If you are doing any new deployments, use the FRR package, not OpenBGPd.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • T
            tman222
            last edited by

            Thanks @Derelict. I tried getting the same setup to work tonight using FRR and could never get a connection to the peer established. With OpenBGPD everything worked fine.

            Google Cloud forces one to use 169.254.x.x. addresses to setup the BGP session. So, let's assume I have the following for the BGP route:

            169.254.40.1 -- GCP
            169.254.40.2 - pfSense

            I added 169.254.40.1 as the neighbor IP along with the private ASN I chose under BGP Neighbors settings. Then I added 169.254.40.2 in the Router ID under Global Settings. Finally, I added my local subnets under Networks to Distribute in the BGP section along with the local private ASN I chose. Then I started up FRR and BGP.

            I have working IPSec tunnel to GCP, but for some reason I am not able to pass traffic between 169.254.40.1 and 169.254.40.2 to create the necessary routing table entries.

            I feel like I'm missing something obvious, but I can't quite put my finger on it. Are there any log files I can take a look and if so do you know where they are located?

            Thanks in advance for your help.

            1 Reply Last reply Reply Quote 0
            • T
              tman222
              last edited by

              Update:

              Well, it was something simple: I forgot to configure the "Update Source" under BGP Neighbor to be the virtual IP of the local end of the tunnel (e.g. 169.254.40.2). Once that was setup everything worked like a charm!

              Of course, had I had watched Jim's video until the end in the first place vs. stopping after the BGP configuration somewhere in the middle, I would have seen the AWS VPC configuration bonus slide around minute 66 and saved myself 1.5 hours of frustration last night :).

              https://www.youtube.com/watch?v=4IlKcB17rWk

              Thanks again for the info on FRR. It has a ton of options to configure, which makes it look daunting, but thankfully a basic setup doesn't require all that much configuration.

              1 Reply Last reply Reply Quote 1
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Excellent. Glad you got it going. FRR is definitely the path forward.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  tman222
                  last edited by

                  I just wanted to follow up on this thread quick and mention that I get did routed IPSec (VTI) to work with Google Cloud Platform using dynamic routing. For the P2 IP addresses, one just has to to use the link-local IP's provided for the BGP session (e.g. 169.254.40.1 and 169.254.40.2 in my example) and things will work fine and routes get exchanged between Google Cloud and pfSense. This article provided me with the hint:

                  https://cloud.google.com/community/tutorials/using-cloud-vpn-with-checkpoint

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.