Configuring the On-premises VPN Gateway

This page covers how to configure IKE and BGP for your on-premises VPN gateway.

Configuring IKE

For dynamic, route based, and policy based routing, use the following instructions to configure IKE on your on-premises VPN gateway.

Configure the on-premises VPN gateway and tunnel for IKE using the following parameters.

For IKEv1 and IKEv2:

Setting Value
IPsec Mode ESP+Auth Tunnel mode (Site-to-Site)
Auth Protocol psk
Shared Secret Also known as an IKE pre-shared key. Choose a strong password by following these guidelines. The shared secret is very sensitive as it allows access into your network.
Start auto (on-premises device should automatically restart the connection if it drops)
PFS (Perfect Forward Secrecy) on
DPD (Dead Peer Detection) Recommended: Aggressive. DPD detects when the Cloud VPN restarts and routes traffic using alternate tunnels.
INITIAL_CONTACT (sometimes called uniqueids) Recommended: on (sometimes called restart). The purpose is to detect restarts faster so that perceived downtime is reduced.
TSi (Traffic Selector - Initiator) Subnet networks: the ranges specified by the --local-traffic-selector flag. If --local-traffic-selector was not specified because the VPN is in an auto mode VPC network and is announcing only the gateway's subnet, then that subnet range is used.
Legacy networks: the range of the network.
TSr (Traffic Selector - Responder) IKEv2: The destination ranges of all of the routes that have --next-hop-vpn-tunnel set to this tunnel.
IKEv1: Arbitrarily, the destination range of one of the routes that has --next-hop-vpn-tunnel set to this tunnel.
MTU The MTU of the on-premises VPN device must be set to 1460 or lower. ESP packets leaving the device must not exceed 1460 bytes. You must enable prefragmentation on your device, which means that packets must be fragmented first, then encapsulated. For more information, see Maximum Transmission Unit (MTU) considerations.

Additional parameters for IKEv1 only:

Setting Value
IKE/ISAKMP aes128-sha1-modp1024
ESP aes128-sha1
PFS Algorithm Group 2 (MODP_1024)

Configuring the BGP session for dynamic routing

For dynamic routing only, configure your on-premises VPN gateway to support a BGP session.

To configure your on-premises VPN gateway for a BGP session, look up the ASNs and IP addresses of the and on-premises connections, then use that information to configure your on-premises gateway.


  1. Open the Cloud Router list.
  2. Click on the name of your Cloud Router.
  3. Make a note of the values for Google ASN, On-premises ASN, Cloud Router BGP IP, and On-premises BGP IP.


    gcloud compute --project [PROJECT_ID] routers describe my-router --region asia-east1

     asn: 65001
    - interfaceName: if-bgp-peer1
      name: bgp-peer1
      peerAsn: 65002
    creationTimestamp: '2015-10-19T14:31:52.639-07:00'
    id: '4047683710114914215'
    - ipRange:
      name: if-bgp-peer1
    kind: compute#router
    name: my-router

Make a note of the asn, ipAddress, peerAsn, and peerIpAddress.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...