Adding a VPN tunnel

Adding a VPN tunnel to HA VPN

Adding a VPN tunnel to Classic VPN

Each Cloud VPN tunnel associated with a Classic VPN gateway must connect to a unique peer VPN gateway, as identified by the peer gateway's IP address. If you need to create a second tunnel to the same peer gateway, you must create that tunnel from a different Cloud VPN gateway.

Required permissions

Project owners, editors, and IAM members with the Network Admin role can create Cloud VPN tunnels.


  1. Go to the VPN page in the Google Cloud Console.
    Go to the VPN page
  2. Click the Google VPN Gateways tab.
  3. Click the name of an existing VPN gateway.
  4. On the VPN gateway details page, in the Tunnels section, click Add VPN tunnel.
  5. Supply the following information:
    1. Provide a name for the tunnel.
    2. Enter the external IP address of the peer VPN gateway in the Remote peer IP address field.
    3. Choose an IKE version compatible with your peer VPN gateway.
    4. Provide the Shared secret (also known as the preshared key) for authentication. Refer to this page for suggestions about how to generate strong shared secrets.
    5. Click the appropriate Routing option.
      • To use dynamic routing, choose Dynamic (BGP), select or create a new Cloud Router from the Cloud Router menu. Then, click the edit (pencil) button next to BGP session to define the BGP session parameters. Each BGP IP address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.
      • To use route-based VPN, choose Route-based. For the Remote network IP ranges, supply the ranges of IP addresses used by the peer network.
      • To use policy-based routing, choose Policy-based and supply both the Remote network IP ranges and Local IP ranges. Use the Local subnetworks menu to choose IP ranges of subnets in a VPC network.
  6. Click Create.
  7. Set up the peer VPN gateway by configuring the corresponding tunnel.


Follow the steps for creating a route-based VPN gateway and tunnel, but start with Creating a VPN tunnel. If the new tunnel has the same CIDR block, you can skip to Configuring firewall rules.


Once the corresponding tunnel has been configured at your peer VPN gateway, check the status of the Cloud VPN tunnel.

What's next