In the automotive network architecture, the basic functions of gateway include routing, diagnostic, network management and so on. With the rapid development of connected vehicles, the cyber security has become an important topic in automotive network. A spoof ECU can be used to hack the automotive network. In order to prevent the in-vehicle networks from attacking, automotive gateway is an important part of the security architecture. A secure gateway should be able to authenticate the connected ECU and control the access to critical network domain. The data and signals transferred between gateway and ECU should be protected to against wiretap attacking. The purpose of this paper is to design a secure gateway for in-vehicle networks. In this paper, the designing process of automotive secure gateway is presented. Based on the threat analysis, security requirements for automotive gateway are defined. Message authentication, data encryption and firewall are proposed as the security mechanisms to protect the automotive gateway. Cipher-based Message Authentication Code (CMAC) is used to check the integrity and authentication of network messages. The confidentiality of data and signals is ensured by cryptographic algorithm. Firewall based on frame filter is designed to isolate the untrusted network domain and trusted network domain. The security functions of automotive gateway are validated in a simulated attacking environment. A microcontroller with Hardware Security Module (HSM) is used to implement the security gateway. Considering the influences of security mechanisms, the network latency and bus load rate are tested and the results have proved the security gateway is effective and efficient.