Solved: Re: Initiate an IPsec VPN tunnel from on-premise t...

LinaBen · 11-22-2024 01:47 AM

Hello,

I have a Firewall VM on GCP that is deployed after an external load balancer (L3, passthrough). ALL incoming traffic comes to the external LB and is directly forwarded to the Firewall VM for Filtering. My objectif is to have an IPSec tunnel between on-premise firewall and the cloud firewall.

What IP should be used ? the static NAT of the VPC where the Firewall VM is deployed OR the external Load balancer Front end IP ?

PS: I dont use Cloud VPN.

I want to understand how the VPN is mounted, who iniates the connection etc ?

thanks

diannemcm

Hi @LinaBen,

Welcome to Google Cloud Community!

It is recommended to use the external load balancer's frontend IP address for the IPSec tunnel.

External passthrough Network Load Balancers can receive traffic from:

Any client on the internet

Google Cloud VMs with external IPs

Google Cloud VMs that have internet access through Cloud NAT or instance-based NAT

The on-premises firewall needs to reach your GCP firewall. Since all traffic destined for your GCP firewall must go through the external load balancer, the load balancer's IP is the only publicly accessible address for your GCP firewall. The external load balancer’s frontend IP is the IP address that receives(ingress traffic) external traffic and forwards it to your firewall VM.

Cloud NAT provides network address translation (NAT) for outbound traffic to the internet, Virtual Private Cloud (VPC) networks, on-premises networks, and other cloud provider networks. Primarily handles egress traffic from the private subnet to the internet. Using the VPC's NAT IP for the IPSec tunnel is not recommended because it's not directly routable from the internet.

Initiation is coming from your onprem resources to IPSec tunnel going to GCP network(load balancer then firewall VM). Your on-premises firewall and your GCP Firewall VM must have correctly configured IPSec parameters (pre-shared key, algorithms, etc.).

I hope the information above is helpful.

View solution in original post

diannemcm

Hi @LinaBen,

Welcome to Google Cloud Community!

It is recommended to use the external load balancer's frontend IP address for the IPSec tunnel.

External passthrough Network Load Balancers can receive traffic from:

Any client on the internet

Google Cloud VMs with external IPs

Google Cloud VMs that have internet access through Cloud NAT or instance-based NAT

The on-premises firewall needs to reach your GCP firewall. Since all traffic destined for your GCP firewall must go through the external load balancer, the load balancer's IP is the only publicly accessible address for your GCP firewall. The external load balancer’s frontend IP is the IP address that receives(ingress traffic) external traffic and forwards it to your firewall VM.

Cloud NAT provides network address translation (NAT) for outbound traffic to the internet, Virtual Private Cloud (VPC) networks, on-premises networks, and other cloud provider networks. Primarily handles egress traffic from the private subnet to the internet. Using the VPC's NAT IP for the IPSec tunnel is not recommended because it's not directly routable from the internet.

Initiation is coming from your onprem resources to IPSec tunnel going to GCP network(load balancer then firewall VM). Your on-premises firewall and your GCP Firewall VM must have correctly configured IPSec parameters (pre-shared key, algorithms, etc.).

I hope the information above is helpful.

LinaBen

Hello @diannemcm

Thank you so much for your help. It is more clear for me to do the conf.

Best regards,

Initiate an IPsec VPN tunnel from on-premise to Google Cloud Firewall