Skip to main content

VPN Customer Gateway

⏱️ Estimated reading time: 4 minutes

What is a VPN Customer Gateway?

A VPN Customer Gateway on the Webberstop Cloud Portal allows you to establish a secure, encrypted connection between your cloud-based VPC and an external network—such as your on-premises data center or a remote branch office.

This acts as the customer-side endpoint of a Site-to-Site IPsec VPN tunnel, enabling:

  • Secure data transfer
  • Remote access to cloud resources
  • Hybrid cloud connectivity

It uses industry-standard IPsec protocols to ensure traffic is encrypted and authenticated across the internet.

Accessing VPN Customer Gateway Settings

To create a VPN Customer Gateway:

  1. Log in to the Cloud Portal.

  2. From the left-hand menu, navigate to Networks > VPN Customer Gateway.

  3. Click the ➕ plus icon at the top right to open the VPN Gateway creation form.

Configuration Parameters

Fill in the form with the following details:

  • Project: Select the project under which this gateway will be created. (Note: Cannot be changed after creation.)

  • Zone: Choose the zone where the gateway will be deployed. This must match the zone of the VPC you're connecting to.

  • Name: Enter a descriptive name for the VPN Customer Gateway.

  • CIDR List: Specify the guest CIDR(s) of the remote subnets. Use comma-separated values. Ensure there are no overlaps with existing VPC or guest CIDRs. Must comply with RFC1918.

  • Gateway IP: The public IP of the remote gateway (on-premises or third-party VPN device).

  • IPsec Preshared Key: A secret string shared between both VPN endpoints. Avoid using quotes or newline characters.

  • IKE Lifetime: (Default: 86400) Phase-1 security association lifetime in seconds.

  • ESP Lifetime: (Default: 3600) Phase-2 lifetime for encryption/authentication key validity.

  • IKE Encryption / Hash / Version / DH Group: Choose encryption standards and Diffie-Hellman group for phase-1 negotiations.

  • Perfect Forward Secrecy (PFS): Enables re-keying via a new Diffie-Hellman exchange for stronger security.

  • ESP Encryption / ESP Hash: Select the algorithm for securing phase-2 (data traffic).

  • Dead Peer Detection (DPD): Enable to automatically detect if the remote peer is unreachable.

  • Force Encapsulation: Enables NAT traversal by forcing encapsulation.

  • Split Connections: Route only specific traffic (defined by CIDR) through the VPN, while other traffic accesses the internet directly.

🔒 Ensure IKE and ESP configurations match on both sides of the VPN tunnel.

Once all required fields are filled, click Save to create the VPN Customer Gateway.

Connecting to a Site-to-Site VPN

To establish the actual tunnel between your VPC and the customer gateway:

  1. Navigate to the VPC you wish to connect.

  2. Open the VPN Connections tab.

  3. Click + Add Site-to-Site VPN in the top-right corner.

  4. Select the previously created VPN Customer Gateway.

  5. Click Save to finalize the connection.

The VPN tunnel will now be associated with the VPC. Connection details (public IP, PSK, configuration suggestions) will be displayed. You can also manage the connection using the Actions menu to reset or delete the VPN as needed.

Important Notes

  • The Project and Zone for a VPN Customer Gateway cannot be changed after creation.

  • The VPC and Gateway must reside in the same zone for a successful connection.

  • Ensure network ACLs and routing on both sides are configured to allow VPN traffic.

Need Help?

Check your firewall or on-prem VPN settings if tunnels don't establish. Make sure IKE/ESP settings exactly match on both ends.