Help Center/ Virtual Private Network/ User Guide (Ankara Region)/ Management/ Customer Gateway Management of Enterprise Edition VPN/ Creating a Customer Gateway
Updated on 2024-11-14 GMT+08:00
View PDF
Share

Creating a Customer Gateway

Scenario

To connect your on-premises data center or private network to your ECSs in a VPC, you need to create a customer gateway before creating a VPN connection.

Notes and Constraints

  • The identifier of a customer gateway that uses SM series cryptographic algorithms can only be a gateway IP address, which must be a static IP address.
  • A customer gateway identified by a full qualified domain name (FQDN) supports VPN connections only in policy template mode.
  • Address groups cannot be used to configure the source and destination subnets in a policy on customer gateway devices.
  • Only IKEv2 is supported in the policy template mode.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – Customer Gateways.
  5. On the Customer Gateways page, click Create Customer Gateway.
  6. Set parameters as prompted and click Create Now.

    Table 1 lists the customer gateway parameters.

    Table 1 Description of customer gateway parameters

    Parameter

    Description

    Example Value

    Name

    Name of a customer gateway. The value can contain only letters, digits, underscores (_), hyphens (-), and periods (.).

    cgw-001

    Routing Mode

    Routing mode of the customer gateway.

    • Select Dynamic (BGP) when VPN Type is set to Route-based and Routing Mode is set to Dynamic (BGP) for the VPN connection.
      • When selecting this option, ensure that the customer gateway supports dynamic BGP.
      • The customer gateway can advertise a maximum of 100 BGP routes to the VPN gateway. If more than 100 BGP routes are advertised, the BGP peer relationship is disconnected, causing traffic interruption between the VPN gateway and customer gateway.
    • Select Static when VPN Type is set to Route-based and Routing Mode is set to Static for the VPN connection.
    • You are advised to select Static when VPN Type is set to Policy-based for the VPN connection.

    Static

    BGP ASN

    The BGP ASN needs to be specified only when Routing Mode is set to Dynamic (BGP).

    Enter the ASN of your on-premises data center or private network.

    The BGP ASN of the customer gateway must be different from that of the VPN gateway.

    65000

    Gateway IP Address

    IP address used by the customer gateway to communicate with the VPN gateway. The value must be a static address.

    Ensure that UDP port 4500 is permitted in a firewall rule on the customer gateway in your on-premises data center or private network.

    1.2.3.4

    CA certificate (optional)

    For a customer gateway that uses SM series cryptographic algorithms, you need to upload a CA certificate for it to establish VPN connections with a VPN gateway.

    • To upload a new certificate, manually enter a value starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
    • To use an uploaded certificate, select the certificate. Pay attention to the time when the certificate will expire.

    -----BEGIN CERTIFICATE-----

    CA certificate

    -----END CERTIFICATE-----
  7. (Optional) If there are two customer gateways, repeat the preceding operations to configure the other customer gateway with a different identifier.

Related Operations

You need to configure an IPsec VPN tunnel on the router or firewall in your on-premises data center.