Updated on 2024-12-04 GMT+08:00

Creating a Customer Gateway

Scenario

To connect your on-premises data center or private network to your ECSs in a VPC, you need to create a customer gateway before creating a VPN connection.

Notes and Constraints

  • The identifier of a customer gateway that uses SM series cryptographic algorithms can only be a gateway IP address, which must be a static IP address.
  • A customer gateway identified by a full qualified domain name (FQDN) supports VPN connections only in policy template mode.
  • Address groups cannot be used to configure the source and destination subnets in a policy on customer gateway devices.
  • Only IKEv2 is supported in the policy template mode.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – Customer Gateways.
  5. On the Customer Gateways page, click Create Customer Gateway.
  6. Set parameters as prompted and click Create Now.

    Table 1 lists the customer gateway parameters.

    Table 1 Description of customer gateway parameters

    Parameter

    Description

    Example Value

    Name

    Name of a customer gateway. The value can contain only letters, digits, underscores (_), hyphens (-), and periods (.).

    cgw-001

    Identifier

    • IP Address: Specify the IP address of the customer gateway.
    • FQDN: Enter an FQDN. The value is a string of 1 to 128 case-sensitive characters, including letters, digits, and special characters (excluding & < > [ ] \). Spaces are not supported.

      If the customer gateway does not have a fixed IP address, select FQDN.

    Ensure that UDP port 4500 is permitted in a firewall rule on the customer gateway in your on-premises data center or private network.

    • IP Address, 1.2.3.4
    • FQDN, cgw-fqdn

    BGP ASN

    This parameter is available only when Identifier is set to IP Address.

    Enter the ASN of your on-premises data center or private network.

    The BGP ASN of the customer gateway must be different from that of the VPN gateway.

    65000

    CA certificate (optional)

    For a customer gateway that uses SM series cryptographic algorithms, you need to upload a CA certificate for it to establish VPN connections with a VPN gateway.

    • To upload a new certificate, manually enter a value starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
    • To use an uploaded certificate, select the certificate. Pay attention to the time when the certificate will expire.

    -----BEGIN CERTIFICATE-----

    CA certificate

    -----END CERTIFICATE-----

    Advanced Settings > Tags

    Tag of a VPN resource. The value consists of a key and a value. A maximum of 20 tags can be added.

    You can select predefined tags or customize tags.

    To view predefined tags, click View predefined tags.

    -

  7. (Optional) If there are two customer gateways, repeat the preceding operations to configure the other customer gateway with a different identifier.

Related Operations

You need to configure an IPsec VPN tunnel on the router or firewall in your on-premises data center.