Configuring the peer VPN gateway

This page describes the steps to complete your VPN configuration.

To complete your configuration, configure the following resources on your peer VPN gateway:

  • Corresponding VPN tunnels to Cloud VPN
  • Border Gateway Protocol (BGP) sessions if you are using dynamic routing with Cloud Router
  • Firewall rules
  • IKE settings

For best practices when setting up your peer gateway, see your peer gateway documentation or manufacturer. For guides that describe some supported third-party VPN devices and services, see Using third-party VPNs with Cloud VPN.

For more information about Cloud VPN, see the following resources:

Configuring external peer VPN gateway resources for HA VPN

For HA VPN, you configure an external peer VPN gateway resource that represents your physical peer gateway in Google Cloud. You can also create this resource as a stand-alone resource and use it later.

To create an external peer VPN gateway resource, you need the following values from your physical peer gateway, which can also be a third-party software-based gateway. For the VPN to be established, the values for the external peer VPN gateway resource must match the configuration on your physical peer gateway:

  • The number of interfaces on your physical VPN gateway
  • External IP address or addresses for one or more peer gateways or interfaces
  • BGP endpoint IP address or addresses
  • The IKE pre-shared key (shared secret)
  • The ASN number

To create a stand-alone external peer VPN gateway resource, complete the following steps.

Console

  1. In the Google Cloud Console, go to the VPN page.

    Go to VPN

  2. Click Create peer VPN gateway.

  3. Give the peer gateway a Name.

  4. Select the number of interfaces that your physical peer gateway has: one, two, or four.

  5. Add the Interface IP address for each interface on your physical VPN gateway.

  6. Click Create.

gcloud

When running the following command, enter the interface ID and IP address for your physical VPN gateway. You can enter 1, 2, or 4 interfaces.

gcloud compute external-vpn-gateways create mygateway \
  --interfaces 0=35.254.128.120,1=35.254.128.121

The command output should look like the following example:

Creating external VPN gateway...done.
NAME       REDUNDANCY_TYPE
mygateway  TWO_IPS_REDUNDANCY

API

For this command, you can use this list of gateway redundancy types.

Make a POST request by using the externalVpnGateways.insert method.

  POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways
  {
    "name": "mygateway",
    "interfaces": [
      {
        "id": 0,
        "ipAddress": "35.254.128.120"
      },
      {
        "id": 1,
        "ipAddress": "35.254.128.121"
      },
    ],
    "redundancyType": "TWO_IPS_REDUNDANCY"
  }

Configuring VPN tunnels

To create corresponding tunnels for each Cloud VPN tunnel that you created, consult the documentation for your peer VPN gateway.

For HA VPN, configure two tunnels on your peer gateway. One tunnel on the peer gateway should correspond to the Cloud VPN tunnel on interface 0. Another tunnel on the peer gateway should correspond to the Cloud VPN tunnel on interface 1.

Each tunnel on your peer gateway should also use a unique external IP address for your HA VPN gateway to use.

Configuring BGP sessions for dynamic routing

For dynamic routing only, configure your peer VPN gateway to support BGP sessions for the peer subnets that you want to advertise to Cloud Router.

To configure your peer gateway, use the ASNs and IP addresses of your Cloud Router and the information from your Cloud VPN gateway. To obtain the Google ASN, configured peer network ASNs, and BGP IP addresses, use the Cloud Router summary information.

For HA VPN, the Google ASN—which is the peer ASN from the perspective of your peer VPN gateway—is the same for both tunnels.

Configuring firewall rules

For instructions about configuring firewall rules for your peer network, see Configuring firewall rules.

Configuring IKE

You can configure IKE on your peer VPN gateway for dynamic, route-based, and policy-based routing.

To configure the peer VPN gateway and tunnel for IKE, use the parameters in the following table.

For information about connecting Cloud VPN to some third-party VPN solutions, see Using third-party VPNs with Cloud VPN. For information about IPsec encryption and authentication settings, see Supported IKE ciphers.

For IKEv1 and IKEv2

Setting Value
IPsec Mode ESP+Auth Tunnel mode (Site-to-Site)
Auth Protocol psk
Shared Secret Also known as an IKE pre-shared key. Choose a strong password by following these guidelines. The pre-shared key is sensitive because it allows access into your network.
Start auto (if the peer device drops, it should automatically restart the connection)
PFS (Perfect Forward Secrecy) on
DPD (Dead Peer Detection) Recommended: Aggressive. DPD detects when the VPN restarts and uses alternate tunnels to route traffic.
INITIAL_CONTACT
(sometimes called uniqueids)
Recommended: on (sometimes called restart). Purpose: detect restarts faster so that perceived downtime is reduced.
TSi (Traffic Selector - Initiator)

Subnet networks: the ranges specified by the --local-traffic-selector flag. If --local-traffic-selector is not specified because the VPN is in an auto mode VPC network and is announcing only the gateway's subnet, then that subnet range is used.

Legacy networks: the range of the network.

TSr (Traffic Selector - Responder)

IKEv2: The destination ranges of all the routes that have --next-hop-vpn-tunnel set to this tunnel.

IKEv1: Arbitrarily, the destination range of one of the routes that has --next-hop-vpn-tunnel set to this tunnel.

MTU The maximum transmission unit (MTU) of the peer VPN device must not exceed 1460 bytes. Enable prefragmentation on your device so that packets are fragmented first and then encapsulated. For more information, see MTU considerations.

Additional parameters for IKEv1 only

Setting Value
IKE/ISAKMP aes128-sha1-modp1024
ESP aes128-sha1
PFS Algorithm Group 2 (MODP_1024)

What's next