Create a Classic VPN gateway using dynamic routing

This page describes how to use dynamic routing to create a Classic VPN gateway and one tunnel that uses the Border Gateway Protocol (BGP).

With dynamic routing, you do not specify local or remote traffic selectors; instead, you use a Cloud Router. Route information is exchanged dynamically.

For more information about Cloud VPN, see the following resources:

  • For best practices to consider before setting up Cloud VPN, see Best practices.

  • For more information about Cloud VPN, see the Cloud VPN overview.

  • For definitions of terms used on this page, see Key terms.

Requirements

General guidelines

Install third-party VPN software on a Compute Engine VM

When you create a Classic VPN tunnel with dynamic routing, the IP address that you specify for your peer VPN gateway interface must be assigned to a Compute Engine VM.

Therefore, before you can create any Classic VPN tunnels, you must install third-party VPN software on a Compute Engine VM. When you configure your Classic VPN tunnels, you specify the external IP address of the Compute Engine VM as the peer VPN gateway interface.

In addition, the IP address of the peer VPN gateway interface must be allocated from the regional external IPv4 address pool owned by Google. The IP address can't belong to a Bring your own IP address (BYOIP) range.

Create Cloud Routers

To create a tunnel that uses dynamic routing with Classic VPN, you must use Cloud Router. You can create a new Cloud Router, or you can use an existing Cloud Router with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection because of the attachment's specific ASN requirements.

Before you begin

Set up the following items in Google Cloud to make it easier to configure Cloud VPN:

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Install the Google Cloud CLI.
  5. To initialize the gcloud CLI, run the following command:

    gcloud init
  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  7. Make sure that billing is enabled for your Google Cloud project.

  8. Install the Google Cloud CLI.
  9. To initialize the gcloud CLI, run the following command:

    gcloud init
  1. If you are using the Google Cloud CLI, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.

        gcloud config set project PROJECT_ID
        
  1. You can also view a project ID that has already been set by running the following command:

        gcloud config list --format='text(core.project)'
        

Create a custom VPC network and subnet

Before creating a Classic VPN gateway and tunnel, create a Virtual Private Cloud (VPC) network and at least one subnet in the region where the Classic VPN gateway resides:

Create a gateway and tunnel

Console

Configure the gateway

  1. Go to the VPN page in the Google Cloud console.
    Go to the VPN page
    1. If you are creating a gateway for the first time, select the Create VPN connection button.
    2. Select the VPN setup wizard.
  2. Select the radio button for Classic VPN.
  3. Click Continue.
  4. On the Create a VPN connection page, specify the following gateway settings:
    • Name — The name of the VPN gateway. The name cannot be changed later.
    • Description — Optionally, add a description.
    • Network — Specify an existing VPC network in which to create the VPN gateway and tunnel.
    • Region — Cloud VPN gateways and tunnels are regional objects. Choose a Google Cloud region where the gateway will be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant Google Cloud resources.
    • IP address — Create or choose an existing regional external IP address.

Configure tunnels

  1. Specify the following in the Tunnels section for the new tunnel item:

    • Name — The name of the VPN tunnel. The name cannot be changed later.
    • Description — Optionally, type a description.
    • Remote peer IP address — Specify the external IP address of the peer VPN gateway.
    • IKE version — Choose the appropriate IKE version supported by the peer VPN gateway. IKEv2 is preferred if it's supported by the peer device.

    • Shared secret — Provide a pre-shared key used for authentication. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.

    • Routing options — Select Dynamic (BGP). You can only use dynamic routing to connect to third-party VPN gateway software running within a Google Cloud VM instance.

    • Cloud Router — If you haven't already, create a new Cloud Router specifying the options as noted below. Alternatively, you can use an existing Cloud Router, if the Cloud Router does not already manage a BGP session for an interconnect attachment associated with a Partner Interconnect. If you choose an existing Cloud Router, you'll still create a new BGP session, but the Google ASN is the same. To create a new Cloud Router, specify the following details:

      • Name — The name of the Cloud Router. The name cannot be changed later.
      • Description — Optionally, type a description.
      • Google ASN — Choose a private ASN (64512 through 65534, 4200000000 through 4294967294). This Google ASN is used for all BGP sessions managed by the Cloud Router. The ASN cannot be changed later.
      • Click Save and continue.
    • BGP session — Click the pencil icon, then specify the following details. When you are done, click Save and continue:

      • Name — The name of the BGP session. It cannot be changed later.
      • Peer ASN — A public or private (64512 through 65534, 4200000000 through 4294967294) ASN used by your peer VPN gateway.
      • Advertised route priority — (Optional) The base priority Cloud Router uses when advertising the "to Google Cloud" routes. For more information, see Advertised prefixes and priorities. Your peer VPN gateway imports these as MED values.
      • Cloud Router BGP IP and BGP peer IP — The two BGP interface IP addresses must be link-local IP addresses belonging to a common /30 CIDR from the 169.254.0.0/16 block. Each BGP IP defines the respective link-local IP used to exchange route information. For example, 169.254.1.1 and 169.254.1.2 belong to a common /30 block.
  2. If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can add more tunnels later.

  3. Click Create.

gcloud

In the following commands, replace:

  • PROJECT_ID with the ID of your project.
  • NETWORK with the name of your Google Cloud network.
  • REGION with the Google Cloud region where you need to create the gateway and tunnel.
  • (Optional) The --target-vpn-gateway-region is the region of the Classic VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
  • GW_NAME with the name of the gateway.
  • GW_IP_NAME with a name for the external IP used by the gateway.

Complete the following command sequence to create a Google Cloud gateway:

  1. Create the resources for the Cloud VPN gateway:

    1. Create the target VPN gateway object.

      gcloud compute target-vpn-gateways create GW_NAME \
          --network NETWORK \
          --region REGION \
          --project PROJECT_ID
      
    2. Reserve a regional external (static) IP address:

      gcloud compute addresses create GW_IP_NAME \
          --region REGION \
          --project PROJECT_ID
      
    3. Note the IP address (so you can use it when you configure your peer VPN gateway):

      gcloud compute addresses describe GW_IP_NAME \
          --region REGION \
          --project PROJECT_ID \
          --format='flattened(address)'
      
    4. Create three forwarding rules. These rules instruct Google Cloud to send ESP (IPsec), UDP 500, and UDP 4500 traffic to the gateway.

       gcloud compute forwarding-rules create fr-GW_NAME-esp \
           --load-balancing-scheme=EXTERNAL \
           --ip-protocol ESP \
           --address GW_IP_NAME \
           --target-vpn-gateway GW_NAME \
           --region REGION \
           --project PROJECT_ID
      
      gcloud compute forwarding-rules create fr-GW_NAME-udp500 \
          --load-balancing-scheme=EXTERNAL \
          --ip-protocol UDP \
          --ports 500 \
          --address GW_IP_NAME \
          --target-vpn-gateway GW_NAME \
          --region REGION \
          --project PROJECT_ID
      
      gcloud compute forwarding-rules create fr-GW_NAME-udp4500 \
          --load-balancing-scheme=EXTERNAL \
          --ip-protocol UDP \
          --ports 4500 \
          --address GW_IP_NAME \
          --target-vpn-gateway GW_NAME \
          --region REGION \
          --project PROJECT_ID
      
  2. If you haven't already, complete the following command to create a Cloud Router. Replace the options as noted below. Alternatively, you can use an existing Cloud Router, as long as the Cloud Router does not already manage a BGP session for an interconnect attachment associated with a Partner Interconnect.

    • Replace ROUTER_NAME with a name for the Cloud Router.
    • Replace GOOGLE_ASN with a private ASN (64512 through 65534, 4200000000 through 4294967294). The Google ASN is used for all BGP sessions on the same Cloud Router, and it cannot be changed later.
      gcloud compute routers create ROUTER_NAME \
      --asn GOOGLE_ASN \
      --network NETWORK \
      --region REGION \
      --project PROJECT_ID
    
  3. Create the Cloud VPN tunnel with the following details:

    • Replace TUNNEL_NAME with a name for the tunnel.
    • Replace ON_PREM_IP with the external IP address of the peer VPN gateway.
    • Replace IKE_VERS with 1 for IKEv1 or 2 for IKEv2.
    • Replace SHARED_SECRET with your shared secret. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
    • Replace ROUTER_NAME with the name of the Cloud Router you want to use to manage routes for the Cloud VPN tunnel. The Cloud Router must exist before you create the tunnel.

      gcloud compute vpn-tunnels create TUNNEL_NAME \
          --peer-address ON_PREM_IP \
          --ike-version IKE_VERS \
          --shared-secret SHARED_SECRET \
          --router ROUTER_NAME \
          --target-vpn-gateway GW_NAME \
          --region REGION \
          --project PROJECT_ID
      
  4. Configure a BGP session for the Cloud Router by creating an interface and BGP peer. Choose one of the following methods:

    • To let Google Cloud automatically choose the link-local BGP IP addresses:

      1. Add a new interface to the Cloud Router. Supply a name for the interface by replacing INTERFACE_NAME.

        gcloud compute routers add-interface ROUTER_NAME \
            --interface-name INTERFACE_NAME \
            --vpn-tunnel TUNNEL_NAME \
            --region REGION \
            --project PROJECT_ID
        
      2. Add a BGP peer to the interface. Replace PEER_NAME with a name for the peer, and PEER_ASN with the ASN configured for the peer VPN gateway.

        gcloud compute routers add-bgp-peer ROUTER_NAME \
            --peer-name PEER_NAME \
            --peer-asn PEER_ASN \
            --interface INTERFACE_NAME \
            --region REGION \
            --project PROJECT_ID
        

        If you want to define custom learned routes for the peer, add the --set-custom-learned-route-ranges flag. You can also optionally use the --custom-learned-route-priority flag to set a priority value of between 0 and 65535 (inclusive) for the routes. Each BGP session can have one priority value that applies to all the custom learned routes that you configured for the session. For more information about this feature, see Custom learned routes.

        gcloud compute routers add-bgp-peer ROUTER_NAME \
            --peer-name=PEER_NAME_0 \
            --peer-asn=PEER_ASN \
            --interface=ROUTER_INTERFACE_NAME_0 \
            --region=REGION \
            --set-custom-learned-route-ranges=IP_ADDRESS_RANGES \
            --custom-learned-route-priority=PRIORITY
        
      3. List the BGP IP addresses chosen by the Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface should be listed with the highest index number. The Peer IP Address is the BGP IP you should use to configure your peer VPN gateway.

        gcloud compute routers get-status ROUTER_NAME \
             --region REGION \
             --project PROJECT_ID \
             --format='flattened(result.bgpPeerStatus[].ipAddress, \
             result.bgpPeerStatus[].peerIpAddress)'
        

        Expected output for a Cloud Router managing a single Cloud VPN tunnel (index 0) looks like the following, where GOOGLE_BGP_IP represents the BGP IP of the Cloud Router's interface and ON_PREM_BGP_IP represents the BGP IP of its peer.

        result.bgpPeerStatus[0].ipAddress:     GOOGLE_BGP_IP
        result.bgpPeerStatus[0].peerIpAddress: ON_PREM_BGP_IP
        
    • To manually assign the BGP IP addresses associated with the Google Cloud BGP interface and peer:

      1. Decide on a pair of link-local BGP IP addresses in a /30 block from the 169.254.0.0/16 range. Assign one of these BGP IP addresses to the Cloud Router in the next command by replacing GOOGLE_BGP_IP. The other BGP IP address is used for your peer VPN gateway. You must configure your device to use that address, and replace ON_PREM_BGP_IP in the last command, below.

      2. Add a new interface to the Cloud Router. Specify a name for the interface by replacing INTERFACE_NAME.

        gcloud compute routers add-interface ROUTER_NAME \
            --interface-name INTERFACE_NAME \
            --vpn-tunnel TUNNEL_NAME \
            --ip-address GOOGLE_BGP_IP \
            --mask-length 30 \
            --region REGION \
            --project PROJECT_ID
        
      3. Add a BGP peer to the interface. Replace PEER_NAME with a name for the peer, and PEER_ASN with the ASN configured for the peer VPN gateway.

        gcloud compute routers add-bgp-peer ROUTER_NAME \
            --peer-name PEER_NAME \
            --peer-asn PEER_ASN \
            --interface INTERFACE_NAME \
            --peer-ip-address ON_PREM_BGP_IP \
            --region REGION \
            --project PROJECT_ID
        

        If you want to define custom learned routes for the peer, add the --set-custom-learned-route-ranges flag. You can also optionally use the --custom-learned-route-priority flag to set a priority value of between 0 and 65535 (inclusive) for the routes. Each BGP session can have one priority value that applies to all the custom learned routes that you configured for the session. For more information about this feature, see Custom learned routes.

        gcloud compute routers add-bgp-peer ROUTER_NAME \
            --peer-name=PEER_NAME_0 \
            --peer-asn=PEER_ASN \
            --interface=ROUTER_INTERFACE_NAME_0 \
            --region=REGION \
            --set-custom-learned-route-ranges=IP_ADDRESS_RANGES \
            --custom-learned-route-priority=PRIORITY
        

Complete the configuration

Before you can use a new Cloud VPN gateway and its associated VPN tunnel, complete the following steps:

  1. Complete the peer VPN gateway configuration with the third-party VPN software on your Google Cloud VM instance. Configure the corresponding tunnel there. You can only use dynamic routing with Classic VPN to connect to third party VPN software running within Google Cloud.
  2. Configure firewall rules in Google Cloud and your peer network as required.
  3. Check the status of your VPN tunnel and forwarding rules.

What's next