Configuring the Peer VPN gateway

To complete your VPN configuration, you must configure the following resources on your peer VPN gateway:

  • Corresponding VPN tunnel(s) to Cloud VPN
  • BGP sessions if you are using dynamic routing with Cloud Router.
    You must always configure BGP sessions for HA VPN gateways and for Classic VPN gateways with tunnels that use dynamic routing.
  • Firewall rules
  • IKE settings

All of these resources are described in this document.

See your peer gateway documentation or manufacturer for best practices when setting up your peer gateway. See the VPN Interop Guides page for guides that describe some supported third-party VPN devices and services.

External peer VPN gateway resources for HA VPN

For HA VPN gateway, you configure an external peer VPN gateway resource that represents your physical peer gateway in Google Cloud. You can also create this resource as a standalone resource and use it later.

To create an external peer VPN gateway, you need the following values from your physical peer gateway, which can also be a 3rd-party software-based gateway. The values for the external peer VPN gateway resource must match the configuration on your physical peer gateway for the VPN to be established:

  • The number of interfaces on your physical VPN gateway
  • External IP address or addresses for the peer gateway(s) or interfaces
  • BGP endpoint IP address(es)
  • The IKE preshared key
  • The ASN number

To create a standalone external peer VPN gateway resource, do the following:


  1. Go to the VPN page in the Google Cloud Console.
    Go to the VPN page
  2. Click the Create peer VPN gateway button.
  3. Give the peer gateway a Name.
  4. Select the number of interfaces your physical peer gateway has: one, two, or four.
  5. Add the Interface IP address for each interface on your physical VPN gateway.
  6. Click Create.


When executing the following command, enter the interface ID and IP address for your physical VPN. You can enter 1, 2, or 4 interfaces.

gcloud compute external-vpn-gateways create mygateway \
  --interfaces 0=,1=

The command output should look like the following example:

Creating external VPN Gateway...done.


You can use this list of gateway redundancy types for this command.

Make a POST request with the externalVpnGateways.insert method.

    "name": "mygateway",
    "interfaces": [
        "id": 0,
        "ipAddress": ""
        "id": 1,
        "ipAddress": ""
    "redundancyType": "TWO_IPS_REDUNDANCY"

Configuring VPN tunnels

Consult the documentation for your peer VPN gateway to create corresponding tunnels for each Cloud VPN tunnel you've created.

For HA VPN, configure two tunnels on your peer gateway. One tunnel on the peer gateway should correspond to the Cloud VPN tunnel on interface 0, and another tunnel on the peer gateway should correspond to the Cloud VPN tunnel on interface 1.

Each tunnel on your peer gateway should also use a unique external IP address for your HA VPN gateway to use.

Configuring BGP sessions for dynamic routing

For dynamic routing only, configure your peer VPN gateway to support BGP sessions for the peer subnets you want to advertise to Cloud Router.

Use the ASNs and IP addresses of your Cloud Router, and the information from your Cloud VPN gateway, to configure your peer gateway.

You can use Cloud Router summary information to obtain the Google ASN, configured peer network ASN(s), and BGP IP addresses. See Viewing the Router Configuration to get the above information for your Cloud Router.

For HA VPN, note that the Google ASN, which is the peer ASN from the perspective of your peer VPN gateway, is the same for both tunnels.

Configuring firewall rules

For instructions on configuring firewall rules for your peer network, see Configuring Firewall Rules.

Configuring IKE

For dynamic, route based, and policy based routing, use the following instructions to configure IKE on your peer VPN gateway.

Configure the peer VPN gateway and tunnel for IKE using the following parameters:

For IKEv1 and IKEv2:

Setting Value
IPsec Mode ESP+Auth Tunnel mode (Site-to-Site)
Auth Protocol psk
Shared Secret Also known as an IKE pre-shared key. Choose a strong password by following these guidelines. The shared secret is very sensitive as it allows access into your network.
Start auto (peer device should automatically restart the connection if it drops)
PFS (Perfect Forward Secrecy) on
DPD (Dead Peer Detection) Recommended: Aggressive. DPD detects when the restarts and routes traffic using alternate tunnels.
INITIAL_CONTACT (sometimes called uniqueids) Recommended: on (sometimes called restart). The purpose is to detect restarts faster so that perceived downtime is reduced.
TSi (Traffic Selector - Initiator) Subnet networks: the ranges specified by the --local-traffic-selector flag. If --local-traffic-selector was not specified because the VPN is in an auto mode VPC network and is announcing only the gateway's subnet, then that subnet range is used.
Legacy networks: the range of the network.
TSr (Traffic Selector - Responder) IKEv2: The destination ranges of all of the routes that have --next-hop-vpn-tunnel set to this tunnel.
IKEv1: Arbitrarily, the destination range of one of the routes that has --next-hop-vpn-tunnel set to this tunnel.
MTU The MTU of the peer VPN device must not exceed 1460 bytes. You must enable prefragmentation on your device, which means that packets must be fragmented first, then encapsulated. For more information, see Maximum Transmission Unit (MTU) considerations.

Additional parameters for IKEv1 only:

Setting Value
IKE/ISAKMP aes128-sha1-modp1024
ESP aes128-sha1
PFS Algorithm Group 2 (MODP_1024)

What's next