Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rtanagras
Staff & Editor
Staff & Editor

Created on ‎02-26-2025 10:13 PM Edited on ‎03-05-2025 10:21 PM By Community Manager

Article Id 379210

Technical Tip: IPsec Tunnel Between GCP and FortiGate

Description This article indicates the setup of an IPsec tunnel between FortiGate and GCP using Classic VPN configuration.
Scope FortiGate.
Solution

Network Topology:

 

gcp to fortigate ipsec.drawio.png

 

To set up GCP, follow this link: GCP Static IPsec VPN Setup

 

GCP configuration:

 

 

2025-02-27 08 47 41.jpg

 2025-02-27 08 50 29.jpg

 

Note:

Ensure that the above settings match those on the FortiGate IPsec VPN.

 

FortiGate configuration:

 

config vpn ipsec phase1-interface

edit "To-GCP"

set interface "port1"
set keylife 36600
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: To-GCP (Created by VPN wizard)"
set dhgrp 2
set remote-gw x.x.x.x
set psksecret ENC ZZ9r2zQudSYd16Fk7cZlZ66acwM/2fGyfIgm/+Bu84ftr6cVKXFX

next

end

 

config vpn ipsec phase2-interface

edit "To-GCP"

set phase1name "To-GCP"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set dhgrp 2
set auto-negotiate enable
set comments "VPN: To-GCP (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 36600
set src-name "To-GCP_local_subnet_1"
set dst-name "To-GCP_remote_subnet_1"

next

end

 

config firewall policy

edit 15

set name "vpn_To-GCP_remote_0"
set srcintf "To-GCP"
set dstintf "port2"
set action accept
set srcaddr "To-GCP_remote"
set dstaddr "To-GCP_local"
set schedule "always"
set service "ALL"
set comments "VPN: To-GCP (Created by VPN wizard)"

next

edit 14

set name "vpn_To-GCP_local_0"
set srcintf "port2"
set dstintf "To-GCP"
set action accept
set srcaddr "To-GCP_local"
set dstaddr "To-GCP_remote"
set schedule "always"
set service "ALL"
set comments "VPN: To-GCP (Created by VPN wizard)"

next

end

config router static

edit 5

set device "To-GCP"
set comment "VPN: To-GCP (Created by VPN wizard)"
set dstaddr "To-GCP_remote"

next

edit 6

set distance 254
set comment "VPN: To-GCP (Created by VPN wizard)"
set blackhole enable
set dstaddr "To-GCP_remote"
set vrf 0

next

end

 

config firewall address
    edit "To-GCP_local_subnet_1"

     set allow-routing enable
     set subnet 172.16.0.0 255.255.0.0

 next

end

 

config firewall address

    edit "To-GCP_remote_subnet_1"

     set allow-routing enable
     set subnet 10.148.0.0 255.255.240.0

 next

end

 

Note: 

If there are still issues establishing the VPN, use the public IP of the FortiGate and add it as a peer ID.

 

config vpn ipsec phase1-interface
    edit "To-GCP"

     set mode aggressive

     set peertype one

     set peerid "public-ip"

 next

end

 

From v7.6.x versions onward, the option for adding the Transport type has been introduced and this can be selected from the Phase 1 configuration, and UDP can be selected as the transport protocol when VPN is formed with other vendors.

 

config vpn ipsec phase1-interface
    edit "To-GCP"

     set mode aggressive

     set peertype one

     set peerid "public-ip"

         set transport udp

 next

end
806
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.