This page covers how to configure IKE and BGP for your on-premises VPN gateway.
- For instructions on configuring on-premises firewall rules, see the Configuring Firewall Rules page.
- For instructions on configuring VPN gateways, see Choosing a VPN Routing Option.
For dynamic, route based, and policy based routing, use the following instructions to configure IKE on your on-premises VPN gateway.
Configure the on-premises VPN gateway and tunnel for IKE using the following parameters.
- For information about connecting Cloud VPN to some third-party VPN solutions, see the VPN Interoperability Guides page.
- For information on IPsec encryption and authentication settings, see Supported IKE Ciphers.
For IKEv1 and IKEv2:
|IPsec Mode||ESP+Auth Tunnel mode (Site-to-Site)|
|Shared Secret||Also known as an IKE pre-shared key. Choose a strong password by following these guidelines. The shared secret is very sensitive as it allows access into your network.|
|PFS (Perfect Forward Secrecy)||on|
|DPD (Dead Peer Detection)||Recommended:
|INITIAL_CONTACT (sometimes called uniqueids)||Recommended:
|TSi (Traffic Selector - Initiator)||Subnet networks: the ranges specified by the
Legacy networks: the range of the network.
|TSr (Traffic Selector - Responder)||IKEv2: The destination ranges of all of the routes that have
IKEv1: Arbitrarily, the destination range of one of the routes that has
|MTU||The MTU of the on-premises VPN device must be set to 1460 or lower. ESP packets leaving the device must not exceed 1460 bytes. You must enable prefragmentation on your device, which means that packets must be fragmented first, then encapsulated. For more information, see Maximum Transmission Unit (MTU) considerations.|
Additional parameters for IKEv1 only:
|PFS Algorithm||Group 2 (MODP_1024)|
Configuring the BGP session for dynamic routing
For dynamic routing only, configure your on-premises VPN gateway to support a BGP session.
To configure your on-premises VPN gateway for a BGP session, look up the ASNs and IP addresses of the and on-premises connections, then use that information to configure your on-premises gateway.
- Open the Cloud Router list.
- Click on the name of your Cloud Router.
- Make a note of the values for Google ASN, On-premises ASN, Cloud Router BGP IP, and On-premises BGP IP.
gcloud compute --project [PROJECT_ID] routers describe my-router --region asia-east1
bgp: asn: 65001 bgpPeers: - interfaceName: if-bgp-peer1 ipAddress: 169.254.1.1 name: bgp-peer1 peerAsn: 65002 peerIpAddress: 169.254.1.2 creationTimestamp: '2015-10-19T14:31:52.639-07:00' id: '4047683710114914215' interfaces: - ipRange: 169.254.1.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/vpnTunnels/tunnel1 name: if-bgp-peer1 kind: compute#router name: my-router network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/my-network region: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1 selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/routers/my-router
Make a note of the asn, ipAddress, peerAsn, and peerIpAddress.
- Learn about the basic concepts of Cloud VPN
- Create a custom Virtual Private Cloud network
- Set up different types of Cloud VPN
- Maintain VPN tunnels and gateways
- See Advanced Configurations for information on high-availability, high-throughput scenarios, or multiple subnet scenarios.
- Get troubleshooting help