GCP configuration
This document describes how to set up an IPsec connection with WALLIX One PAM and your platform hosted on GCP using dynamic routing.
Prerequisite
WALLIX One PAM side
You need some information about your WALLIX One PAM platform:
- IPsec endpoint address
- BGP ASN
For this example, we use the following values:
- IPsec endpoint address: 51.103.98.141
- BGP ASN: 210094
GCP side
A VPC with existing subnet must already exists with "Dynamic routing mode" set to "Global".
In this example, a VPC with the name "wallix-w1pam" and the default subnet "default" was created.
Configuration
This section describe how to setup VPN connection with WALLIX w1pam platform with dynamic routing (BGP).
Cloud HA VPN gateway
Click on "Create VPN connection"
Select the "High-availability" VPN option.
NOTE
Currently, WALLIX w1pam only provides a single VPN instance.
In the future, a second instance must be added to provide high availability between W1P and your remote sites.
Select "IPv4 (single stack).
NOTE
Currently, WALLIX w1pam only supports IPv4 networks.
The support for IPv6 networks must be provided in the future.
VPN tunnels
Peer VPN gateway
Select "On-prem or non-Google cloud" and click on "Create new peer vpn gateway"
Select "one interface" and use the IP address of the WALLIX W1P IPsec endpoint.
NOTE
Currently, WALLIX w1pam only provides a single VPN instance.
In the future, a second instance must be added to provide high availability between W1P and your remote sites.
Routing options
Click on "Create new router"
Complete options:
- ASN: Select ASN from private BGP range (from 64512 to 65535 or from 4200000000 to 4294967294).
- Advertised routes: by default, GCP announces all subnets visible by the Cloud Router, but you can select specific CIDRs if you want
Let GCP generate a new PSK for you and save it.
Click on "Create and continue".
[!IMPORTANT] Verify that the generated PSK only contains letters (lowercase and uppercase), numbers, and underscores, with a size between 32 and 128 characters.
BGP sessions
Click on "Configure bgp session"
Give a name to this configuration and define the peer ASN as 210094.
Click on "save and continue" and next on "Save BGP configuration".
Download configuration
Note the public ip address of the GCP VPN gateway:
The following information must be declared in the shuttle document for the configuration of the IPsec tunnel:
- name: choose a name for this tunnel (e.g., gcp-europewest9)
- ip_address: public ip address of the GCP VPN gateway (e.g., 34.157.13.199)
- tunnel_cidr: Use the value of 'Cloud Router BGP IP' retrieved in the configuration and substitute 1 for the last octet + "/30" (e.g., 169.254.222.92/30).
- use_first_address: False
- bgp_asn: the ASN defined previously when the new router was created (e.g., 64512)
- psk: the pre-shared key defined previously
- phase1_ciphers: select Phase 1 encryption algorithms (AES128 or AES256).
- phase1_integrity: select Phase 1 integrity algorithms (SHA2-256, SHA2-384 or SHA2-512).
- phase2_ciphers: select Phase 2 encryption algorithms according to your selection during tunnel option configuration (AES128, AES256, AES128_GCM_16 or AES256_GCM_16).
- phase2_integrity: select Phase 2 integrity algorithms (SHA2-256, SHA2-384 or SHA2-512).
- dhs: select Diffie Hellman groups numbers according to your selection during tunnel option configuration (14, 15, 16, 19, 20, 21, 31).
- routing_mode: "dynamic"
These settings must be provided to WALLIX support to establish the IPsec tunnel.
Status
When tunnel is UP, the status of "VPN tunnel" and "BGP session" must be "established".
To check received routes from WALLIX, go to your VPC routing table, select the region where the tunnel is deployed. You must see three routes:
- 2 private subnets: used for outbound connections by Bastion and Access Manager
- 1 public address: used for incoming connections from users to Bastion or Access Manager