Skip to main content
To establish a stable, persistent connection between a Google Cloud Platform (GCP) private cloud and your MacStadium private cloud, you need to configure a policy-based IPsec site-to-site VPN between the two clouds. Currently, you can create only a classic VPN connection with policy-based routing from GCP to MacStadium. It consists of one tunnel and one interface and does not provide high availability. For more information about this option, see Google Cloud Documentation: Classic VPN. To create a site-to-site VPN from your GCP private cloud to your MacStadium private cloud, you need to go through the following high-level steps:
  1. Log into GCP
  2. Create the VPN connection

Log into GCP

  1. Log in to the GCP console with your credentials.
  2. In the toolbar at the top, make sure that you’re working with the correct project.
    a12cc63-project-select.png

Create the VPN connection

From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN. 9bd9287-select-vpn_1.png Classic VPN connections in GCP consist of a gateway and tunnel. You can create a gateway and a tunnel at once or you can add a new tunnel to an existing gateway.

Create gateway and tunnel

If you don’t have a classic VPN gateway that you want to use, complete the following steps.
  1. If you don’t have any VPNs created yet, click Create VPN connection.
  2. If you have one or more VPNs created, click + VPN SETUP WIZARD.
  3. Select Classic VPN and click Continue. 
 * The High-availability (HA) VPN is currently not supported as an option. For more information about the available options, see [Google Cloud Documentation: Choosing a VPN option](https://cloud.google.com/vpn/docs/how-to/choosing-a-vpn).
  1. In the Google Compute Engine VPN gateway section, provide Name and Description.
  2. For Network, select the GCP network that needs to be able to access MacStadium.
  3. Select Region. 
 * For more information about this setting, see [Google Cloud Documentation: Regions and Zones](https://cloud.google.com/compute/docs/regions-zones).
  1. Select or create a reserved IP address for the connection.
 * You will need this IP address when you configure the MacStadium side of the tunnel.
  1. In the Tunnels section, provide Name and Description.
  2. For Remote peer IP address, provide the IP address of the public network listed in Appendix B of the IP Plan. 
 * By default, this is the FW1-Outside network.
  1. For IKE version, verify that IKEv2 is selected.
  2. Provide or generate an IKE pre-shared key. 
 * **IMPORTANT** : Keep a record of the pre-shared key. You will need it later.
  1. For Routing options, select Policy-based.
  2. For Remote network IP ranges, provide the IP range in CIDR notation of the private network listed in Appendix A of the IP Plan. 
 * By default, this is the Private-1 network.

 * For more information about CIDR notations, see [Understanding IP Addresses, Subnets, and CIDR Notation for Networking](https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking#cidr-notation). You can also use a CIDR calculator such as this [CIDR/Netmask Lookup Tool](https://www.ultratools.com/tools/netMask).
  1. (Optional) Select one or more GCP subnetworks to reduce latency between your GCP private cloud and your MacStadium private cloud.
 * For more information, see [Google Cloud Documentation: Networks and subnets](https://cloud.google.com/vpc/docs/vpc#vpc_networks_and_subnets).
  1. (Optional) Provide one or more IP ranges within your GCP local network that needs to access MacStadium.
  2. Click Done.
  3. Click Create.
After the creation is complete, the VPN tunnel status is: First handshake.

Example: Create gateway and tunnel

This image shows a sample configuration for the VPN gateway and tunnel. 4e1edd9-create-vpn-gateway-and-tunnel.png

Add a new tunnel to an existing gateway

If you have an existing classic VPN gateway that you want to use for the connection, complete the following steps.
  1. Select Cloud VPN Tunnels and click Create VPN tunnel.
    91f4109-click-create-vpn-tunnel.png
  2. Select the VPN gateway that you want to use and click Continue.
 * **IMPORTANT** : Make sure that you have selected a classic VPN gateway. High-availability gateways are not supported.
  1. Provide Name.
  2. (Optional) Provide Description.
  3. For Remote peer IP address, provide the IP address of the public network listed in Appendix B of the IP Plan. 
 * By default, this is the FW1-Outside network.
  1. For IKE version, verify that IKEv2 is selected.
  2. Provide or generate an IKE pre-shared key. 
 * **IMPORTANT** : Keep a record of the pre-shared key. You will need it later.
  1. For Routing options, select Policy-based.
  2. For Remote network IP ranges, provide the IP range in CIDR notation of the private network listed in Appendix A of the IP Plan. 
 * By default, this is the Private-1 network.

 * For more information about CIDR notations, see [Understanding IP Addresses, Subnets, and CIDR Notation for Networking](https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking#cidr-notation). You can also use a CIDR calculator such as this [CIDR/Netmask Lookup Tool](https://www.ultratools.com/tools/netMask).
  1. (Optional) Select one or more GCP subnetworks to reduce latency between your GCP private cloud and your MacStadium private cloud.
 * For more information, see [Google Cloud Documentation: Networks and subnets](https://cloud.google.com/vpc/docs/vpc#vpc_networks_and_subnets).
  1. (Optional) Provide one or more IP ranges within your GCP local network that needs to access MacStadium.
  2. Click Create.
After the creation is complete, the VPN tunnel status is: First handshake.

Example: Create the VPN gateway and tunnel

This image shows a sample configuration for the VPN connection. 255984c-example-create-tunnel.png

Ensure that the GCP firewall allows ingress traffic

Based on your requirements, you might need to enable ingress traffic from MacStadium to GCP in the GCP firewall. For more information, see Google Cloud Documentation: Configuring firewall rules > Example configurations.

Next steps

If you are ready to proceed with the MacStadium side of the configuration, see Preparing the VPN Configuration for Input into Cisco ASA/ASAv.