Skip to main content
rtanagras
Staff & Editor
rtanagras
Staff & Editor
February 27, 2025

Technical Tip: IPsec Tunnel Between GCP and FortiGate

  • February 27, 2025
  • 0 replies
  • 2185 views
Description This article indicates the setup of an IPsec tunnel between FortiGate and GCP using Classic VPN configuration.
Scope FortiGate.
Solution

Network Topology:

 

gcp to fortigate ipsec.drawio.png

 

To set up GCP, follow this link: GCP Static IPsec VPN Setup

 

GCP configuration:

 

 

2025-02-27 08 47 41.jpg

 2025-02-27 08 50 29.jpg

 

Note:

Ensure that the above settings match those on the FortiGate IPsec VPN.

 

FortiGate configuration:

 

config vpn ipsec phase1-interface

edit "To-GCP"

set interface "port1"
set keylife 36600
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: To-GCP (Created by VPN wizard)"
set dhgrp 2
set remote-gw x.x.x.x
set psksecret ENC ZZ9r2zQudSYd16Fk7cZlZ66acwM/2fGyfIgm/+Bu84ftr6cVKXFX

next

end

 

config vpn ipsec phase2-interface

edit "To-GCP"

set phase1name "To-GCP"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set dhgrp 2
set auto-negotiate enable
set comments "VPN: To-GCP (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 36600
set src-name "To-GCP_local_subnet_1"
set dst-name "To-GCP_remote_subnet_1"

next

end

 

config firewall policy

edit 15

set name "vpn_To-GCP_remote_0"
set srcintf "To-GCP"
set dstintf "port2"
set action accept
set srcaddr "To-GCP_remote"
set dstaddr "To-GCP_local"
set schedule "always"
set service "ALL"
set comments "VPN: To-GCP (Created by VPN wizard)"

next

edit 14

set name "vpn_To-GCP_local_0"
set srcintf "port2"
set dstintf "To-GCP"
set action accept
set srcaddr "To-GCP_local"
set dstaddr "To-GCP_remote"
set schedule "always"
set service "ALL"
set comments "VPN: To-GCP (Created by VPN wizard)"

next

end

config router static

edit 5

set device "To-GCP"
set comment "VPN: To-GCP (Created by VPN wizard)"
set dstaddr "To-GCP_remote"

next

edit 6

set distance 254
set comment "VPN: To-GCP (Created by VPN wizard)"
set blackhole enable
set dstaddr "To-GCP_remote"
set vrf 0

next

end

 

config firewall address
    edit "To-GCP_local_subnet_1"

     set allow-routing enable
     set subnet 172.16.0.0 255.255.0.0

 next

end

 

config firewall address

    edit "To-GCP_remote_subnet_1"

     set allow-routing enable
     set subnet 10.148.0.0 255.255.240.0

 next

end

 

Note: 

If there are still issues establishing the VPN, use the public IP of the FortiGate and add it as a peer ID.

 

config vpn ipsec phase1-interface
    edit "To-GCP"

     set mode aggressive

     set peertype one

     set peerid "public-ip"

 next

end

 

From v7.6.x versions onward, the option for adding the Transport type has been introduced and this can be selected from the Phase 1 configuration, and UDP can be selected as the transport protocol when VPN is formed with other vendors.

 

config vpn ipsec phase1-interface
    edit "To-GCP"

     set mode aggressive

     set peertype one

     set peerid "public-ip"

         set transport udp

 next

end
    Terms & ConditionsAccessibility statement