--- title: VPN Setup Guide (GCP) --- # VPN Setup Guide — E2E Cloud to Google Cloud Platform ## Introduction This guide provides a complete step-by-step walkthrough for configuring a Site-to-Site IPsec VPN between an E2E Cloud FortiGate Firewall and Google Cloud Platform (GCP). Once configured, private resources in your E2E Cloud VPC can communicate directly and securely with resources in your GCP VPC over an encrypted IPsec tunnel. ![E2E Cloud to Google Cloud VPN Architecture](../network/vpc_images/vpn_gcp/gcp_vpn-000.png) --- ## Before You Begin Ensure the following are in place before starting: - A FortiGate Firewall already deployed and running on E2E Cloud (status: **Running**). See [Create a Firewall](./firewall) for setup instructions. - The **public IP** of your FortiGate (available from the E2E Cloud Console under Network → Firewall). - The **private CIDR** of your E2E Cloud VPC (e.g., `10.11.14.0/23`). - Access to the GCP Console with permissions to manage VPC, Compute Engine, and VPN resources. :::info VPN Type This guide uses **Classic VPN** with static (policy-based) routing, which is compatible with FortiGate. HA VPN requires BGP dynamic routing and is out of scope for this guide. ::: --- ## Part 1 — Google Cloud Configuration ### Step 1 — Create a VPC Network 1. Sign in to the [Google Cloud Console](https://console.cloud.google.com). 2. In the left sidebar, navigate to **VPC network → VPC networks**. ![Navigate to VPC Networks](../network/vpc_images/vpn_gcp/gcp_vpn-001.png) 3. Click **Create VPC network**. ![Create VPC Network button](../network/vpc_images/vpn_gcp/gcp_vpn-002.png) 4. Configure the network: - **Name**: `e2e-gcp` - **Subnet creation mode**: Custom ![VPC Network name](../network/vpc_images/vpn_gcp/gcp_vpn-003.png) 5. In the **New subnet** section, configure: - **Name**: `e2e-gcp` - **Region**: `asia-south1 (Mumbai)` — select the region closest to your workload - **IP range**: `10.128.0.0/20` ![Subnet configuration](../network/vpc_images/vpn_gcp/gcp_vpn-004.png) 6. Click **Create**. Once created, the subnet details page confirms the network is ready. ![Subnet created](../network/vpc_images/vpn_gcp/gcp_vpn-005.png) :::note The GCP VPC subnet CIDR (`10.128.0.0/20`) must not overlap with your E2E Cloud VPC CIDR (`10.11.14.0/23`). ::: --- ### Step 2 — Create a Test Virtual Machine in GCP This VM will be used to verify connectivity through the VPN tunnel after setup. 1. Navigate to **Compute Engine → VM instances**. ![Navigate to VM Instances](../network/vpc_images/vpn_gcp/gcp_vpn-006.png) 2. Click **Create instance**. ![Create instance button](../network/vpc_images/vpn_gcp/gcp_vpn-007.png) 3. Configure the instance: - **Name**: `e2e-gcp-test-vm` - **Region**: `asia-south1 (Mumbai)` — same region as the VPC subnet ![Instance name and region](../network/vpc_images/vpn_gcp/gcp_vpn-008.png) 4. In the **Networking** section, attach the instance to the VPC created in Step 1: - **Network**: `e2e-gcp` - **Subnetwork**: `e2e-gcp IPv4 (10.128.0.0/20)` ![Attach VM to VPC](../network/vpc_images/vpn_gcp/gcp_vpn-009.png) 5. Click **Create**. Wait 1–2 minutes for the VM to reach the **Running** state. 6. Note the **Internal IP** (e.g., `10.128.0.2`) — you will use this to test connectivity later. ![VM running with private IP](../network/vpc_images/vpn_gcp/gcp_vpn-010.png) --- ### Step 3 — Reserve a Static Public IP Address The Classic VPN Gateway requires a static external IP address. 1. Navigate to **VPC network → IP addresses**. 2. Click **Reserve external**. ![Reserve external IP button](../network/vpc_images/vpn_gcp/gcp_vpn-011.png) 3. Configure: - **Name**: `vpn-gateway` - **Type**: Regional - **Region**: `asia-south1 (Mumbai)` 4. Click **Reserve**. ![Reserve static IP form](../network/vpc_images/vpn_gcp/gcp_vpn-012.png) 5. The reserved IP (e.g., `34.100.222.133`) appears in the IP addresses list. Note this address — it will be assigned to the VPN Gateway. ![Static IP reserved](../network/vpc_images/vpn_gcp/gcp_vpn-013.png) --- ### Step 4 — Create a Classic VPN Gateway and Tunnel 1. In the search bar, search for **VPN** and navigate to **Network Connectivity → VPN**. ![Search VPN](../network/vpc_images/vpn_gcp/gcp_vpn-014.png) 2. Click **Create VPN connection**. 3. Select **Classic VPN** and click **Continue**. ![Select Classic VPN](../network/vpc_images/vpn_gcp/gcp_vpn-015.png) 4. Configure the **VPN Gateway**: - **Name**: `e2e-gcp` - **Network**: `e2e-gcp` - **Region**: `asia-south1 (Mumbai)` - **IP address**: `vpn-gateway` (the static IP reserved in Step 3) ![Configure VPN Gateway](../network/vpc_images/vpn_gcp/gcp_vpn-016.png) 5. In the **Tunnels** section, configure the VPN tunnel: - **Tunnel name**: `e2e-gcp-tunnel` - **Remote peer IP address**: Public IP of your E2E FortiGate Firewall - **IKE version**: IKEv2 - **IKE pre-shared key**: Enter a secure key or click **Generate**. Record this key — you will enter the same key on the FortiGate. - **VPN cipher selection**: Select **Custom** ![Configure VPN Tunnel](../network/vpc_images/vpn_gcp/gcp_vpn-017.png) 6. Configure the ciphers as follows: | Phase | Parameter | Value | |---|---|---| | **IKE Phase 1** | Encryption | AES-GCM-16-256 | | **IKE Phase 1** | PRF | PRF-HMAC-SHA2-256 | | **IKE Phase 1** | Diffie-Hellman Group | modp_2048 (Group 14) | | **IKE Phase 2** | Encryption | AES-GCM-16-256 | | **IKE Phase 2** | PFS | modp_2048 (Group 14) | ![Cipher selection — Phase 1 and Phase 2](../network/vpc_images/vpn_gcp/gcp_vpn-018.png) :::warning The Phase 1 and Phase 2 cipher settings on GCP **must match exactly** the settings configured on the FortiGate in Part 2. Mismatched ciphers are the most common cause of tunnel failure. ::: 7. Configure routing: - **Routing option**: Policy-based - **Remote network IP ranges**: E2E Cloud VPC CIDR (e.g., `10.11.14.0/23`) - **Local subnetworks**: `e2e-gcp` - **Local IP ranges**: `10.128.0.0/20` ![Routing options](../network/vpc_images/vpn_gcp/gcp_vpn-019.png) 8. Click **Create**. The VPN gateway and tunnel are created. ![VPN Gateway created](../network/vpc_images/vpn_gcp/gcp_vpn-020.png) :::note Record the following before moving to Part 2: - GCP VPN Gateway Public IP Address - Pre-Shared Key (PSK) - GCP VPC Subnet CIDR (`10.128.0.0/20`) ::: --- ### Step 5 — Verify the VPN Route 1. Navigate to **VPC network → Routes**. 2. Select network `e2e-gcp` and region `asia-south1`, then click **View**. 3. Verify that a static route for the E2E Cloud CIDR (e.g., `10.11.14.0/23`) exists with **Next hop: VPN tunnel (e2e-gcp-tunnel)**. ![VPN route verification](../network/vpc_images/vpn_gcp/gcp_vpn-021.png) :::note The route may show a warning — *"Next hop VPN tunnel is not in the ESTABLISHED state"*. This is expected at this stage. The warning disappears once the FortiGate tunnel is configured and the connection is established. ::: --- ### Step 6 — Configure Firewall Rules in GCP This rule allows traffic from the E2E Cloud VPC to reach GCP resources through the VPN tunnel. Without this rule, the tunnel may connect but GCP will silently block all inbound traffic. 1. Navigate to **VPC network → Firewall** (via the left sidebar). ![Navigate to Firewall](../network/vpc_images/vpn_gcp/gcp_vpn-022.png) 2. Click **Create firewall rule**. ![Create firewall rule](../network/vpc_images/vpn_gcp/gcp_vpn-023.png) 3. Configure the rule: | Field | Value | |---|---| | **Name** | `e2e-vpc` | | **Network** | `e2e-gcp` | | **Direction of traffic** | Ingress | | **Action on match** | Allow | | **Targets** | All instances in the network | | **Source IPv4 ranges** | E2E Cloud VPC CIDR (e.g., `10.11.14.0/23`) | | **Protocols and ports** | TCP: 22, 80, 443 and ICMP | ![Firewall rule configuration](../network/vpc_images/vpn_gcp/gcp_vpn-024.png) 4. Click **Create**. :::note Add additional ports as required by your application. Port 22 is needed for SSH testing; ports 80 and 443 for web traffic. ::: GCP configuration is complete. Proceed to configure the FortiGate on the E2E Cloud side. --- ## Part 2 — FortiGate Configuration (E2E Cloud Side) ### Step 1 — Access the FortiGate Firewall 1. Note the **Public IP** of your FortiGate from the E2E Cloud Console under **Network → Firewall**. 2. Open a browser and navigate to: `https://` 3. Log in using: - **Username**: `admin` - **Password**: Sent to your E2E Cloud account's registered email address ![FortiGate login page](../network/vpc_images/vpn_gcp/gcp_vpn-025.png) 4. After login, the FortiGate dashboard is displayed. ![FortiGate dashboard](../network/vpc_images/vpn_gcp/gcp_vpn-026.png) --- ### Step 2 — Change the HTTPS Management Port FortiGate uses port 443 for HTTPS management by default. This conflicts with the VPN tunnel. Change it before creating the tunnel. 1. Navigate to **System → Settings**. 2. Under **Administration Settings**, change the **HTTPS port** from `443` to `10443`. 3. Click **Apply**. ![Change HTTPS port to 10443](../network/vpc_images/vpn_gcp/gcp_vpn-027.png) 4. Log in again using the new port: `https://:10443` --- ### Step 3 — Create a Custom IPsec VPN Tunnel 1. Navigate to **VPN → VPN Tunnels**. 2. Click **Create New** and select **Custom IPsec Tunnel**. ![Select Custom IPsec Tunnel](../network/vpc_images/vpn_gcp/gcp_vpn-028.png) --- ### Step 4 — Configure VPN Settings Configure the following in the **Network** and **Authentication** sections: **Network section:** | Parameter | Value | |---|---| | **Name** | `e2e-gcp` | | **Remote gateway** | Static IP Address | | **IP address** | GCP VPN Gateway Public IP | | **Interface** | `port1` | | **NAT traversal** | Enable | | **Keepalive frequency** | `10` | | **Dead peer detection** | Enable | | **DPD retry count** | `3` | | **DPD retry interval** | `20` seconds | ![VPN tunnel network settings](../network/vpc_images/vpn_gcp/gcp_vpn-029.png) **Authentication section:** | Parameter | Value | |---|---| | **Method** | Pre-shared Key | | **Pre-shared key** | Same PSK configured in GCP Step 4 | | **IKE version** | Version 2 | ![Authentication settings](../network/vpc_images/vpn_gcp/gcp_vpn-030.png) --- ### Step 5 — Configure Phase 1 Settings In the **Phase 1 proposal** section, configure: | Parameter | Value | |---|---| | **Encryption** | AES256GCM | | **PRF** | PRFSHA256 | | **Diffie-Hellman group** | 14 | | **Key lifetime** | `86400` seconds | ![Phase 1 proposal settings](../network/vpc_images/vpn_gcp/gcp_vpn-031.png) :::info Cipher name mapping GCP and FortiGate use different names for the same algorithms: GCP's **AES-GCM-16-256** = FortiGate's **AES256GCM**. GCP's **PRF-HMAC-SHA2-256** = FortiGate's **PRFSHA256**. Both DH Group 14 = **modp_2048**. ::: --- ### Step 6 — Configure Phase 2 Settings 1. In the **Phase 2 selectors** section, click **Create new**. ![Phase 2 selectors — Create new](../network/vpc_images/vpn_gcp/gcp_vpn-032.png) 2. Configure the selector: | Parameter | Value | |---|---| | **Name** | `e2e-gcp` | | **Encapsulation** | Tunnel Mode | | **IP version** | IPv4 | | **Local address** | E2E Cloud VPC CIDR (e.g., `10.11.14.0/23`) | | **Remote address** | GCP subnet CIDR (e.g., `10.128.0.0/20`) | ![Phase 2 selector addresses](../network/vpc_images/vpn_gcp/gcp_vpn-033.png) 3. In the **Advanced** section, configure: | Parameter | Value | |---|---| | **Encryption** | AES256GCM | | **Replay detection** | Enable | | **Perfect Forward Secrecy (PFS)** | Enable | | **Diffie-Hellman group** | 14 | ![Phase 2 advanced settings](../network/vpc_images/vpn_gcp/gcp_vpn-034.png) 4. Configure additional Phase 2 settings: | Parameter | Value | |---|---| | **Local port** | All | | **Remote port** | All | | **Protocol** | All | | **Auto-negotiate** | Enable | | **Autokey keep alive** | Enable | | **Key lifetime** | `43200` seconds | ![Phase 2 additional settings](../network/vpc_images/vpn_gcp/gcp_vpn-035.png) 5. Click **OK** to save the Phase 2 selector, then click **OK** to save the tunnel. --- ### Step 7 — Add a Static Route (E2E → GCP) 1. Navigate to **Network → Static Routes → Create New**. 2. Configure: | Parameter | Value | |---|---| | **Destination** | GCP subnet CIDR (e.g., `10.128.0.0/20`) | | **Interface** | `e2e-gcp` (VPN tunnel) | ![New static route](../network/vpc_images/vpn_gcp/gcp_vpn-036.png) 3. Click **OK**. This directs all GCP-bound traffic through the VPN tunnel. --- ### Step 8 — Create Firewall Policy (E2E → GCP) 1. Navigate to **Policy & Objects → Firewall Policy → Create New**. 2. Configure: :::info Policy 1: E2E → GCP | Field | Value | |---|---| | **Name** | `E2E-to-GCP` | | **Incoming interface** | `port2` (internal/LAN interface) | | **Outgoing interface** | `e2e-gcp` (VPN tunnel) | | **Source** | E2E local network address object | | **Destination** | GCP subnet address object | | **Service** | ALL | | **Action** | ACCEPT | | **NAT** | Disable | ::: ![Firewall policy E2E to GCP](../network/vpc_images/vpn_gcp/gcp_vpn-037.png) 3. Click **OK**. --- ### Step 9 — Create Firewall Policy (GCP → E2E) 1. Click **Create New** again to create the reverse policy. 2. Configure: :::info Policy 2: GCP → E2E | Field | Value | |---|---| | **Name** | `GCP-to-E2E` | | **Incoming interface** | `e2e-gcp` (VPN tunnel) | | **Outgoing interface** | `port2` (internal/LAN interface) | | **Source** | GCP subnet address object | | **Destination** | E2E local network address object | | **Service** | ALL | | **Action** | ACCEPT | | **NAT** | Disable | ::: ![Firewall policy GCP to E2E](../network/vpc_images/vpn_gcp/gcp_vpn-038.png) 3. Click **OK**. Both policies are required for bidirectional communication through the VPN tunnel. --- ### Step 10 — Verify VPN Tunnel Status **GCP side:** 1. Navigate to **Network Connectivity → VPN → Cloud VPN tunnels**. 2. Verify that the `e2e-gcp-tunnel` status shows **Established**. ![GCP VPN tunnel Established](../network/vpc_images/vpn_gcp/gcp_vpn-039.png) **FortiGate side:** 1. Navigate to **VPN → VPN Tunnels**. 2. Verify that the `e2e-gcp` tunnel status shows **Up**. ![FortiGate VPN tunnel Up](../network/vpc_images/vpn_gcp/gcp_vpn-040.png) :::note The tunnel must show **Established** on GCP and **Up** on FortiGate before connectivity testing. If either side shows a different status, verify that the PSK and cipher settings match exactly on both sides. ::: --- ## Part 3 — Connectivity Testing ### Step 1 — Note the E2E Cloud VM Details In the E2E Cloud Console, go to your **Nodes** list and note the **Private IP** of your E2E Cloud VM (e.g., `10.11.14.16`). ![E2E Cloud VM private IP](../network/vpc_images/vpn_gcp/gcp_vpn-041.png) A test VM was already created in GCP in Part 1, Step 2 (private IP: `10.128.0.2`). --- ### Step 2 — Add a Route on the E2E Cloud VM Log in to the E2E Cloud VM via SSH and add a route to the GCP network: ```bash sudo ip route add 10.128.0.0/20 via 10.11.14.6 dev ens4 ``` ![Add route on E2E VM](../network/vpc_images/vpn_gcp/gcp_vpn-042.png) :::info Route explanation - `10.128.0.0/20` — GCP VPC CIDR - `10.11.14.6` — FortiGate private IP on the E2E side - `ens4` — network interface connected to the E2E Cloud VPC This ensures GCP-bound traffic is forwarded to the FortiGate, which routes it through the VPN tunnel. ::: --- ### Step 3 — Verify Ping Connectivity **E2E Cloud VM → GCP VM** From the E2E Cloud VM, ping the GCP VM's private IP: ```bash ping 10.128.0.2 ``` ![Ping from E2E to GCP — Successful](../network/vpc_images/vpn_gcp/gcp_vpn-043.png) **GCP VM → E2E Cloud VM** From the GCP VM (via browser-based SSH in GCP Console), ping the E2E Cloud VM's private IP: ```bash ping 10.11.14.16 ``` ![Ping from GCP to E2E — Successful](../network/vpc_images/vpn_gcp/gcp_vpn-044.png) Successful pings in both directions confirm the VPN tunnel is fully active and routing correctly. --- ### Step 4 — Verify SSH Connectivity **Generate an SSH key on the E2E Cloud VM:** ```bash ssh-keygen -t ed25519 -C "e2e-gcp-vpn" ``` Press Enter to accept defaults. **Copy the public key:** ```bash cat ~/.ssh/id_ed25519.pub ``` **Add the key to the GCP VM:** 1. In GCP Console, go to **Compute Engine → VM Instances**. 2. Select the GCP test VM and click **Edit**. 3. Scroll to **SSH Keys → Add Item**, paste the public key, and click **Save**. **Connect from E2E Cloud VM to GCP VM:** ```bash ssh e2e-gcp-vpn@10.128.0.2 ``` ![SSH from E2E to GCP — Successful](../network/vpc_images/vpn_gcp/gcp_vpn-045.png) Successful SSH access confirms full end-to-end private connectivity between E2E Cloud and Google Cloud Platform. --- ## Conclusion The Site-to-Site IPsec VPN between E2E Cloud and Google Cloud Platform is now fully configured and verified. Traffic between the E2E Cloud VPC and the GCP VPC is securely routed through an encrypted IPsec tunnel, enabling private communication between resources in both environments without traversing the public internet. ---