Configuring GCP HA VPN with a pfSense firewall (BGP Dynamic Routing)
Recently we had to configure Google Cloud Platform’s Highly Available VPN setup between our DataCenter and a GCP region and we were surprised that there weren’t any good tutorials about it, so I created this article to serve as our own documentation for future reference, also hoping it will help some folks with our same problem!
Setup
In order to make this work you need to have at least two IPs available at your DataCenter’s WAN gateway.
There’s a lot of variables involved, referring to them between the different steps was a mess so I came up with this table, which you need to setup before moving forward as I will be referring to it during the steps in a <Category|Key|Location> coordinates. IE: <General|ASN|GCP> is 4200000000.
Setting up Google Cloud’s VPNs
First you need to have some network in place that you want to connect, that is covered by many other tutorials so I won’t cover that.
To start we go into Hybrid Connectivity -> VPN and select VPN Setup Wizard.
We select the HA VPN (which is a VPN with two endpoints in order to be highly available)
Then we need to create the GCP gateway, select the correct network and region!
Next we need to create the configurations for the tunnels, first we select that’s a On-Prem gateway, and create a new gateway. It’s important to set up at least two interfaces to have the HA part of the VPN, so we set up <Tunnel1|Gateway|DC> and <Tunnel2|Gateway|DC> in the interface 0 and 1 values.
If you haven’t created a router, you need to create one, for the ASN use <General|ASN|GCP> ( 4200000000 in my setup)
Next we create the tunnel definitions, one for each of our DataCenter’s gateway IPs. You should click generate and copy, then go into your setup table and paste it in the <Tunnel1|Shared Secret|> cell. Then repeat this step for the 2nd tunnel and save the secret under <Tunnel2|Shared Secret|>.
That screen was a handful! our setup should look something like this.
We hit next and we come into the BGP configuration. Now we configure for the first tunnel and we set the Peer ASN as our <General|ASN|DC>, then we fill the Cloud Router BGP IP as our <Tunnel1|BGPAddr|GCP> and the BGP peer IP as <Tunnel1|BGPAddr|DC> without the netmasks. Then we repeat for the second tunnel with it’s own data.
After you do both tunnels you should now save the Cloud VPN Gateway Interface’s under <Tunnel1|Gateway|GCP> and <Tunnel2|Gateway|GCP>.
And we are done for now! we created all the configuration for the VPN in Google Cloud and we should get something nice like this. There are red marks and warning signs, that’s cool, we haven’t setup our DataCenter’s endpoint yet.
Setting up PfSense VPNs
To begin we need to install the package OpenBGPD, so go into your packages options and find and install that package.
foreach ([“Tunnel1”,”Tunnel2”] as $tunnel) { //you should get this, right?
We go into IPSec configurations and we add a new Phase 1.
- Interface: <$tunnel|Gateway|DC> (This is a Virtual IP on your WAN gateway with the corresponding address)
- Key Exchange Version: IKEv2
- Remote Gateway <$tunnel|Gateway|GCP>
- Pre-Shared Key: <$tunnel|Shared Secret|>
Now we need to setup the BGP Phase 2.
- Mode: Routed (VTI) (Available since 2.4.4)
- Local Network: <$tunnel|BGPAddr|DC>
- Remote Network: <$tunnel|BGPAddr|GCP>
We now click save and apply the changes. Then we go to the IPSec diagnostics and Google Cloud and we should have an established connection!
Now we need to create an alias IP, so our PfSense knows that when GCP is asking for the BGP Peer, he should answer! Go to Firewall > Virtual IPs
- Interface: Localhost
- Address(es): <$tunnel|BGPAddr|DC>
} //now go back up and repeat for the second tunnel!
Setting up PfSense BGPs
Now we go for the BGP configuration in Services > OpenBGP > Config, this part was really tricky as the interface works awkward and I ended up modifying the RAW Configuration, so I suggest you start there and save yourself the headache, here’s the link for a doc containing the template.
After saving that configuration you should check everything it’s working
Finishing up: firewall rules
We are almost there! Now you have everything setup but traffic still can’t go trough because you hopefully have strict firewall rules and need to add an exception. In brief you should go to your PfSense’s >Firewall > Rules > IPSec and add that anything coming from your GCP’s network is allowed to come through, and then you should go to GCP > VPC Network > Firewall rules and add that anything coming from your DC’s network is allowed to come through.
Now go ahead and test it out! You should be able to shut down either VPN connection (disabling their Phase 2) and the traffic will get routed through the other.
