This is a diagram that I have used for this lab.
![](https://tungle.ca/wp-content/uploads/2022/05/image-136.png)
I have set up the first part for Palo Alto on GCP (https://tungle.ca/?p=3760). Now, I go to set up the VPN site-to-site between Palo Alto on-prem and Palo Alto on GCP.
On Palo Alto on-prem.
![](https://tungle.ca/wp-content/uploads/2022/05/image-137.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-138.png)
Setup DHCP service on the e1/2 interface.
![](https://tungle.ca/wp-content/uploads/2022/05/image-139.png)
Set the default route on Palo Alto.
![](https://tungle.ca/wp-content/uploads/2022/05/image-140.png)
Create a tunnel 1 on Palo Alto.
![](https://tungle.ca/wp-content/uploads/2022/05/image-141.png)
Create an IKECrypto.
![](https://tungle.ca/wp-content/uploads/2022/05/image-142.png)
Create an IPSECCrypto.
![](https://tungle.ca/wp-content/uploads/2022/05/image-143.png)
Create an IKEGateway.
![](https://tungle.ca/wp-content/uploads/2022/05/image-144.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-145.png)
Create an IPSECTunnel.
![](https://tungle.ca/wp-content/uploads/2022/05/image-146.png)
Create network objects for LAN subnets of Palo Alto on-prem and on GCP.
![](https://tungle.ca/wp-content/uploads/2022/05/image-147.png)
Create both security policies to allow traffic from LAN subnets on Palo Alto – GCP to LAN subnets on Palo Alto on-prem and vice versa.
![](https://tungle.ca/wp-content/uploads/2022/05/image-148.png)
Create a static route to allow traffic from LAN subnets of Palo Alto on-prem to LAN subnets of Palo Alto on the cloud.
![](https://tungle.ca/wp-content/uploads/2022/05/image-149.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-150.png)
Create SNAT to allow the local network to access the Internet.
![](https://tungle.ca/wp-content/uploads/2022/05/image-151.png)
Create another access rule to allow traffic from the LAN network to access the Internet.
![](https://tungle.ca/wp-content/uploads/2022/05/image-152.png)
The Kali machine on the LAN network is able to access the Internet.
![](https://tungle.ca/wp-content/uploads/2022/05/image-153.png)
Back to Palo Alto on GCP.
Create a tunnel 1 on Palo Alto.
![](https://tungle.ca/wp-content/uploads/2022/05/image-154-1024x611.png)
Create an IKECrypto.
![](https://tungle.ca/wp-content/uploads/2022/05/image-155-1024x611.png)
Create an IPSECCrypto.
![](https://tungle.ca/wp-content/uploads/2022/05/image-156-1024x636.png)
Create an IKEGateway.
![](https://tungle.ca/wp-content/uploads/2022/05/image-157-1024x729.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-158-1024x625.png)
Create an IPSEC tunnel.
![](https://tungle.ca/wp-content/uploads/2022/05/image-159-1024x537.png)
Create network objects for LAN subnets for Palo Alto on-prem and on the cloud.
![](https://tungle.ca/wp-content/uploads/2022/05/image-167-1024x349.png)
Create both security policies to allow traffic from LAN subnets on Palo Alto on GCP to LAN subnets on Palo Alto on-prem and vice versa.
![](https://tungle.ca/wp-content/uploads/2022/05/image-161-1024x210.png)
Create a static route to allow traffic from LAN subnets of Palo Alto on the cloud to LAN subnets of Palo Alto on-prem.
![](https://tungle.ca/wp-content/uploads/2022/05/image-162-1024x664.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-163.png)
Go to the vpc-inside network, and create “Add route” to add a new route to LAN subnets of Palo Alto on-prem.
![](https://tungle.ca/wp-content/uploads/2022/05/image-164-1024x671.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-165.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-166-1024x685.png)
Ping Kali’s machine from Windows 2016 VM on GCP.
![](https://tungle.ca/wp-content/uploads/2022/05/image-176.png)
Ping the Windows 2016 VM on Kali’s machine.
![](https://tungle.ca/wp-content/uploads/2022/05/image-169.png)
The IPSEC tunnel is up on Palo Alto on-prem.
![](https://tungle.ca/wp-content/uploads/2022/05/image-170.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-171.png)
The IPSEC tunnel is up in Palo Alto on GCP.
![](https://tungle.ca/wp-content/uploads/2022/05/image-172-1024x315.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-173.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-174-1024x593.png)
![](https://tungle.ca/wp-content/uploads/2022/05/image-175-1024x559.png)