This page describes how to download a configuration template for your third-party peer VPN device. You configure the device when you connect your on-premises network to Google Cloud by using HA VPN.
You can download the configuration template as the final step of creating the HA VPN connection to a peer VPN gateway. Another option is to download the configuration template for an existing peer VPN gateway that already has established HA VPN tunnels.
Available vendor templates
You can download configuration templates for the following third-party VPN devices:
- Cisco Firepower, running ASA 9.13(1)2 or later
- Fortinet FortiGate 200E, running FortiOS 6.2.3 or later
- Juniper vSRX, running JunOS 18.4R3-S2 or later
These configuration templates apply only to HA VPN and not to Classic VPN.
Considerations for using the templates
When using the configuration templates, keep the following in mind:
You can only download configuration templates for your peer VPN device from the Google Cloud console. The configuration templates are not accessible through the Cloud VPN API or the Google Cloud CLI.
You can only download configuration templates for VPN tunnels that are configured with a Border Gateway Protocol (BGP) session.
The configuration templates might not include any configuration values for the following Google Cloud features:
- Dual stack (IPv4 and IPv6) or IPv6 only HA VPN gateways
- IPv4 BGP session multiprotocol BGP (MP-BGP) configuration
- MD5 for BGP authentication
- IPv6 BGP session configuration
- External IPv6 addresses for HA VPN gateways
If you enable these features in HA VPN, you must add their configuration after you download the configuration template.
The configuration templates might require additional customization before you apply the configuration to your VPN device. For example, customization might be required for your network or the specific operating system version installed on your VPN device. Before you apply the configuration, review the contents of the downloaded configuration file, and make any necessary adjustments.
Some templates include defaults that have been preselected by Google. For example, some templates specify
aes256-sha1
algorithms for IKE Phase 1 and Phase 2. You can modify these defaults as needed for your network or security requirements. The selected defaults might differ across vendor devices. For additional details on selected defaults, review the comments at the top of your configuration template.The configuration templates don't address advanced configurations, such as virtual port assignments or virtual interface definitions.
Required permissions
To create HA VPN gateways and tunnels, you need the permissions listed in Create an HA VPN gateway to a peer VPN gateway.
To download a peer VPN configuration template, you must have the following project permissions.
Download a configuration template for new peer VPN tunnels
To download a configuration template that contains tunnel configurations for a new peer VPN device, perform the following steps:
In the Google Cloud console, go to the VPN page.
Create the VPN tunnels and BGP sessions:
- If you want to create a new HA VPN gateway, click
VPN setup wizard.
Then follow the wizard to configure an HA VPN gateway,
peer VPN gateway resource, VPN tunnels, and BGP sessions. For detailed
instructions, see Create an HA VPN to a peer VPN
gateway.
If you want to create tunnels for an existing HA VPN gateway, complete the following steps:
- Click Create VPN tunnel.
- In the VPN gateway list, select an HA VPN gateway, and click Continue.
- Select a peer VPN gateway. Then, create the VPN tunnels and configure the BGP sessions. For detailed instructions, see Add a tunnel from an HA VPN gateway to a peer VPN gateway.
On the Summary and reminder page, click Download configuration. The Download configuration dialog appears.
In the Vendor list, select the vendor for your peer VPN device.
If the vendor of your peer VPN device does not appear in the list, select Other and perform the following steps:
- Record the configuration values listed in the dialog. You use these values to configure your peer VPN device.
- Click Cancel to exit the dialog.
- Complete the instructions in the Use third-party VPNs and Configure the peer VPN gateway pages to configure your peer VPN device.
If you've selected one of the vendors, continue by selecting the platform of your VPN device from the Platform list.
In the Software list, select the software version of your VPN device. The software version reflects the minimum required software version of the VPN device.
After you make all the selections for your peer VPN device, the contents of the template appear in plain text. To download the configuration file, complete one of the following options:
- Click Copy to put the contents of the template into your buffer.
- Click Download to save the text file locally.
Open the file or paste the contents in a text editor of your choice.
Replace all
_SNAKE_CASE_
variables in the file with the appropriate values for your VPN gateways and networks.Because you haven't yet created the VPN tunnels, the IKE pre-shared keys that you configured for each tunnel are stored within the configuration template. Don't replace the
_IKE_SHARED_SECRET_PLACEHOLDER_
variables because the variables are already replaced for you.Complete the configuration by using the commands in the updated configuration file. You might be able to load the entire configuration file on your device, or you might enter the commands through an interactive prompt. For more information, see your peer VPN vendor documentation.
Download a configuration template for existing tunnels
To download a configuration template for your existing peer VPN device and tunnels, perform the following steps:
In the Google Cloud console, go to the VPN page.
Click Peer VPN Gateways.
Next to the peer VPN gateway and VPN tunnels that have configurations you want to download, click
Actions, then select Download configuration.In the Download configuration dialog, select the VPN tunnels that have configurations you want download. You can only select the VPN tunnels that are configured with a BGP session.
In the Vendor list, select the vendor for your peer VPN device.
If the vendor of your peer VPN device does not appear in the list, select Other and perform the following steps:
- Record the configuration values listed in the dialog. You use these values to configure your peer VPN device.
- Click Cancel to exit the dialog.
- Complete the instructions in the Use third-party VPNs and Configure the peer VPN gateway pages to configure your peer VPN device.
If you've selected one of the vendors, continue by selecting the platform of your VPN device from the Platform list.
In the Software list, select the software version of your VPN device. The software version reflects the minimum required software version of the VPN device.
After you make all the selections for your peer VPN device, the contents of the template appear in plain text. To download the configuration file, complete one of the following options:
- Click Copy to put the contents of the template into your buffer.
- Click Download to save the text file locally.
Open the file or paste the contents in a text editor of your choice.
Replace all
_SNAKE_CASE_
variables in the file with the appropriate values for your VPN gateways and networks.Because these VPN tunnels are already created, you must replace each
_IKE_SHARED_SECRET_PLACEHOLDER_
with the IKE pre-shared key configured for each tunnel.Complete the configuration by using the commands in the updated configuration file. You might be able to load the entire configuration file on your device, or you might enter the commands through an interactive prompt. For more information, see your peer VPN vendor documentation.
What's next
- To check the status of your VPN tunnels, see Check VPN status.
- To view Cloud Logging and Monitoring information, see View logs and metrics.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.