GCP VPN - Tunneling traffic through two VPN hops

Question

I have the following topology:

On-prem (EU) -> VPN Classic TUNNEL -> GCP -> VPN Dynamic (BGP) TUNNEL - On-prem (AMER).

And I would like to connect both on-prem sites using the GCP tunnels.

A very friendly colleague told me (in GCP forum) that it is possible to do it using Advertising custom IP ranges. However, not sure if is applicable to VPN between On-prem (EU) and GCP because Classic VPN is in use (not BGP). Is it possible and any idea how to to it?

What about "just adding routes"? – ppuschmann Nov 11 '20 at 19:03 — ppuschmann, Nov 11 '20 at 19:03

Frank · Answer 1 · 2020-11-05T00:27:00.377

0

It would be possible but you would need to add your AMER routes onto your on-prem EU Route-based tunnel and also include your EU on-prem routes in your BGP tunnel

Additionally, you must add GCP Firewall rules in order to allow traffic between those 2 GCP tunnels

You should be able to communicate between your on-prems as long as your on-prem hardware has the appropriate routes / firewall rules

Keep in mind that there's no natting here unless you implement a 3rd party solution

Edit: I replicated this to a certain extent (as I don't have your on-prem hardware or physical locations), my AMER and EU on-prem consist of different GCP projects to simulate this).

I have the following topology:

on-prem AMER <-BGP-VPN--> GCP <-Route-Based-VPN--> on-prem EU

I have added the needed GCP Firewall rules to allow this and I defined the EU route onto my GCP BGP session as this is not done automatically, but it's possible to ping from AMER to EU.

At this point it would be better to reach out to GCP support in order to look specifically in your GCP project (expect being asked for packet captures on your on-prem hardware), but if this is a on-prem config issue then it would be better to reach out to your hardware support in order to configure this.

Images:

edited Nov 05 '20 at 00:27

answered Oct 29 '20 at 23:15

Frank

371
1
7

Hi. Not able to connect even adding AMER route to on-prem tunnel (fortigate) and adding EU on-prem routes in BGP tunnel. Both VPN tunnels are working because I'm able to connect on-prem EU to GCP and GCP to on-prem AMER. – Cova Nov 02 '20 at 15:29
On-premise EU (Fortigate) -> added on-premise AMER CIDR: 172.79.20.0/24 GCP Classic Tunnel -> added on-premise EU CIDR (192.168.100.0) GCP Dynamic BGP -> added Advertised custom ip range EU CIDR (192.168.100.0) What I'm missing? – Cova Nov 02 '20 at 15:42
edited my answer in order to take onto consideration the additional information – Frank Nov 03 '20 at 20:49
Can you share the print screen of your setup? Is it possible? – Cova Nov 04 '20 at 10:05
shared, as mentioned, please contact GCP support in order to get a more deeper solution for GCP or Fortigate for your on-prem hardware, public IPs will be deleted shortly after – Frank Nov 05 '20 at 00:28
Because Google announced that we should migrate from Classic to HA VPN, we migrated the VPN between on-prem EU and GCP to Dynamic + BGP. I currently have the tunnel up with the BGP session established. I added a route to the on-prem AMER in Fortigate. In BGP AMER I added the CIDR of the on-prem EU subnets. After this setup is done, it still doesn't work. Is there a way to communicate more directly with you? – Cova Nov 05 '20 at 23:28
Yes, they recommend to use HA (even with only 1 tunnel) vs anything else because of the future deprecation, it seems that will start slowly as they mention only new Classic VPNs will not be supported at that time, but existing ones will continue for the time being (until they give a new date), some devices don't support BGP so they have to use route / policy based vpn Server Fault is a public website with no private messaging in it, in response to your question, it would be better if you contact the GCP support if the problem is there or your hardware support if the issue in on your devices – Frank Nov 06 '20 at 23:16

score 0 · Answer 2 · answered Oct 30 '20 at 00:10

0

Just to clarify.

What you are saying is:

to recreate the tunnel and in Routing options -> Route-based -> Remote network IP ranges in addition to the IPs of the subnets on-prem EU, also include the IPs of the subnets on-prem AMER? Route-based - Remote network IP Ranges

Is it not possible to add these routes in the current tunnel (without re-creation)?

in the BGP tunnel, in the Cloud Router -> Advertised IP ranges, add the IPs of the on-prem EU in Custom IP ranges? custom ip ranges in BGP tunnel

Thanks

answered Oct 30 '20 at 00:10

Cova

1
1

For Route-based this is not needed, I was covering the Policy-based scenario (I will update my answer), but you would need to add the routes manually on your on-prem EU router to include your AMER on-prem. For BGP, yes you can add those routes there like that. – Frank Oct 30 '20 at 16:21

score 0 · Answer 3 · answered Nov 03 '20 at 10:26

Not able to connect. What I did:

On-premise EU (Fortigate) -> added on-premise AMER CIDR: 172.79.20.0/24 GCP Classic Tunnel -> added on-premise EU CIDR (192.168.100.0/24) GCP Dynamic BGP -> added Advertised custom ip range EU CIDR (192.168.100.0/24)

What I'm missing?

Thanks

GCP VPN - Tunneling traffic through two VPN hops

3 Answers3