Configuring the Peer VPN gateway

To complete your VPN configuration, you must configure the following resources on your peer VPN gateway:

  • Corresponding VPN tunnel(s) to Cloud VPN
  • BGP sessions if you are using dynamic routing with Cloud Router.
    You must always configure BGP sessions for HA VPN gateways and for Classic VPN gateways with tunnels that use dynamic routing.
  • Firewall rules
  • IKE settings

All of these resources are described in this document.

See your peer gateway documentation or manufacturer for best practices when setting up your peer gateway. See the VPN Interop Guides page for guides that describe some supported third-party VPN devices and services.

External peer VPN gateway resources for HA VPN

For HA VPN gateway, you configure an external peer VPN gateway resource that represents your physical peer gateway in Google Cloud. You can also create this resource as a standalone resource and use it later.

To create an external peer VPN gateway, you need the following values from your physical peer gateway, which can also be a 3rd-party software-based gateway. The values for the external peer VPN gateway resource must match the configuration on your physical peer gateway for the VPN to be established:

  • The number of interfaces on your physical VPN gateway
  • Public IP address or addresses for the peer gateway(s) or interfaces
  • BGP endpoint IP address(es)
  • The IKE preshared key
  • The ASN number

To create a standalone external peer VPN gateway resource, do the following:

Console

  1. Go to the VPN page in the Google Cloud Console.
    Go to the VPN page
  2. Click the Create peer VPN gateway button.
  3. Give the peer gateway a Name.
  4. Select the number of interfaces your physical peer gateway has: one, two, or four.
  5. Add the Interface IP address for each interface on your physical VPN gateway.
  6. Click Create.

gcloud

When executing the following command, enter the interface ID and IP address for your physical VPN. You can enter 1, 2, or 4 interfaces.

gcloud compute external-vpn-gateways create mygateway \
  --interfaces 0=35.254.128.120,1=35.254.128.121

The command output should look like the following example:

Creating external VPN Gateway...done.
NAME       REDUNDANCY_TYPE
mygateway  TWO_IPS_REDUNDANCY

api

You can use this list of gateway redundancy types for this command.

Make a POST request with the externalVpnGateways.insert method.

  POST https://www.googleapis.com/compute/v1/projects/project-id/global/externalVpnGateways
  {
    "name": "mygateway",
    "interfaces": [
      {
        "id": 0,
        "ipAddress": "35.254.128.120"
      },
      {
        "id": 1,
        "ipAddress": "35.254.128.121"
      },
    ],
    "redundancyType": "TWO_IPS_REDUNDANCY"
  }

Configuring VPN tunnels

Consult the documentation for your peer VPN gateway to create corresponding tunnels for each Cloud VPN tunnel you've created.

For HA VPN, configure two tunnels on your peer gateway. One tunnel on the peer gateway should correspond to the Cloud VPN tunnel on interface 0, and another tunnel on the peer gateway should correspond to the Cloud VPN tunnel on interface 1.

Each tunnel on your peer gateway should also use a unique public IP address for your HA VPN gateway to use.

Configuring BGP sessions for dynamic routing

For dynamic routing only, configure your peer VPN gateway to support BGP sessions for the peer subnets you want to advertise to Cloud Router.

Use the ASNs and IP addresses of your Cloud Router, and the information from your Cloud VPN gateway, to configure your peer gateway.

You can use Cloud Router summary information to obtain the Google ASN, configured peer network ASN(s), and BGP IP addresses. See Viewing the Router Configuration to get the above information for your Cloud Router.

For HA VPN, note that the Google ASN, which is the peer ASN from the perspective of your peer VPN gateway, is the same for both tunnels.

Configuring firewall rules

For instructions on configuring firewall rules for your peer network, see Configuring Firewall Rules.

Configuring IKE

For dynamic, route based, and policy based routing, use the following instructions to configure IKE on your peer VPN gateway.

オンプレミス VPN ゲートウェイとトンネルを IKE 用に構成するには、次のパラメータを使用します。

IKEv1 と IKEv2 の共通のパラメータ:

設定
IPsec Mode ESP+Auth トンネルモード(サイト間)
Auth Protocol psk
Shared Secret IKE 事前共有キーとも呼ばれます。こちらのガイドラインに従って強力なパスワードを選択してください。共有シークレットはネットワークへのアクセスを制御する情報であるため、取り扱いには十分に注意してください。
Start auto(オンプレミス端末が切断された場合に自動的に再接続されます)
PFS(Perfect Forward Secrecy) on
DPD(Dead Peer Detection) 推奨: Aggressive。Cloud VPN が再起動されてトラフィックが別のトンネルでルーティングされたことを検出します。
INITIAL_CONTACT(または uniqueids) 推奨: on(または restart)。ダウンタイムを少なくできるように、再起動を迅速に検出することが目的です。
TSi(Traffic Selector - Initiator) サブネット ネットワーク: --local-traffic-selector フラグで指定された範囲。VPN が自動モード VPC ネットワーク内にあり、ゲートウェイのサブネットしか通知しないために --local-traffic-selector を指定していない場合は、そのサブネットの範囲が使用されます。
レガシー ネットワーク: ネットワークの範囲。
TSr (Traffic Selector - Responder) IKEv2: --next-hop-vpn-tunnel がこのトンネルに設定されたすべてのルートの送信先範囲。
IKEv1: --next-hop-vpn-tunnel がこのトンネルに設定されたいずれかのルートの送信先の範囲(任意)。
MTU オンプレミス VPN 端末の MTU は 1460 以下に設定する必要があります。オンプレミス VPN 端末から送出される ESP パケットは 1460 バイトを超えてはなりません。ご使用の端末で事前分割を有効にする必要があります。つまり、まずパケットを分割してからカプセル化してください。詳細については、The Maximum Transmission Unit(MTU)に関する考慮事項をご覧ください。

IKEv1 のみの追加パラメータ:

設定
IKE/ISAKMP aes128-sha1-modp1024
ESP aes128-sha1
PFS Algorithm グループ 2(modp_1024)

IKE cipher overview

The following IKE ciphers are supported for Classic VPN and HA VPN. There are two sections for IKEv2, one for ciphers using authenticated encryption with associated data (AEAD), and one for ciphers that do not use AEAD.

IKEv2 ciphers that use AEAD

Phase 1

Cipher role Cipher Notes
Encryption & Integrity
  • AES-GCM-8-128
  • AES-GCM-8-192
  • AES-GCM-8-256
  • AES-GCM-12-128
  • AES-GCM-12-192
  • AES-GCM-12-256
  • AES-GCM-16-128
  • AES-GCM-16-192
  • AES-GCM-16-256
In this list, the first number is the size of the ICV parameter in bytes (octets) and the second is the key length in bits.

Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, and 16 becomes 128).
Pseudo-Random Function (PRF)
  • PRF-AES128-XCBC
  • PRF-AES128-CMAC
  • PRF-HMAC-SHA1
  • PRF-HMAC-MD5
  • PRF-HMAC-SHA2-256
  • PRF-HMAC-SHA2-384
  • PRF-HMAC-SHA2-512
Many devices won't require an explicit PRF setting.
Diffie-Hellman (DH)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.
Phase 1 lifetime 36,000 seconds (10 hours)

Phase 2

Cipher role Cipher Notes
Encryption & Integrity
  • AES-GCM-16-128
  • AES-GCM-16-256
  • AES-GCM-16-192
  • AES-GCM-12-128
  • AES-GCM-8-128
Cloud VPN’s proposal presents these algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms, in any order.

Note that the first number in each algorithm is the size of the ICV parameter in bytes (octets) and the second is its key length in bits. Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, 16 becomes 128).
PFS Algorithm (required)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
Cloud VPN’s proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that has one or more of these algorithms in any order.
Diffie-Hellman (DH) Refer to Phase 1 If your VPN gateway requires DH settings for Phase 2, use the same settings you used for Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)

IKEv2 ciphers that don't use AEAD

Phase 1

Cipher role Cipher Notes
Encryption
  • AES-CBC-128
  • AES-CBC-192
  • AES-CBC-256
  • 3DES-CBC
  • AES-XCBC-96
  • AES-CMAC-96
Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that use one or more of these algorithms, in any order.
Integrity
  • HMAC-SHA1-96
  • HMAC-MD5-96
  • HMAC-SHA2-256-128
  • HMAC-SHA2-384-192
  • HMAC-SHA2-512-256
Cloud VPN's proposal presents these HMAC algorithms in the order shown. Cloud VPN accepts any proposal that has one or more of these algorithms, in any order.

Documentation for your on-premises VPN gateway might use a slightly different name for the algorithm. For example, HMAC-SHA2-512-256 might be referred to as just SHA2-512 or SHA-512, dropping the truncation length number and other extraneous information.
Pseudo-Random Function (PRF)
  • PRF-AES-128-XCBC
  • PRF-AES-128-CMAC
  • PRF-SHA1
  • PRF-MD5
  • PRF-SHA2-256
  • PRF-SHA2-384
  • PRF-SHA2-512
Many devices won't require an explicit PRF setting.
Diffie-Hellman (DH)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
Cloud VPN’s proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that contains one or more of these algorithms, in any order.
Phase 1 lifetime 36,000 seconds (10 hours)

Phase 2

Cipher role Cipher Notes
Encryption
  • AES-CBC-128
  • AES-CBC-256
  • AES-CBC-192
Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that contains one or more of these algorithms, in any order.
Integrity
  • HMAC-SHA2-256-128
  • HMAC-SHA2-512-256
  • HMAC-SHA1-96
Cloud VPN’s proposal presents these HMAC algorithms in the order shown. Cloud VPN accepts any proposal that contains one or more of these algorithms, in any order.

Documentation for your on-premises VPN gateway might use a slightly different name for the algorithm. For example, HMAC-SHA2-512-256 might be referred to as just SHA2-512 or SHA-512, dropping the truncation length number and other extraneous information.
PFS Algorithm (required)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
Cloud VPN’s proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that contains one or more of these algorithms, in any order.
Diffie-Hellman (DH) Refer to Phase 1. If your VPN gateway requires DH settings for Phase 2, use the same settings that you used for Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)

IKEv1 ciphers

Phase 1

Cipher role Cipher
Encryption AES-CBC-128
Integrity HMAC-SHA1-96
Pseudo-Random Function (PRF) PRF-SHA1-96
Diffie-Hellman (DH) modp_1024 (Group 2)
Phase 1 lifetime 36,600 seconds (10 hours, 10 minutes)

Phase 2

Cipher role Cipher
Encryption AES-CBC-128
Integrity HMAC-SHA1-96
PFS Algorithm (required) modp_1024 (Group 2)
Diffie-Hellman (DH) If you need to specify DH for your VPN gateway, use the same setting that you used for Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)

What's next