[c-nsp] VPN to Google Cloud, w/ BGP

Tom Storey tom at snnap.net
Sat Oct 1 11:19:02 EDT 2016 

So a bit more stuffing around and I managed to get it working, heres my
(final/working) config in case anyone else wants to do this:


===================
crypto ikev2 proposal gcp-ikev2-proposal-1
 encryption aes-cbc-128 aes-cbc-192 aes-cbc-256
 integrity sha1 sha256 sha384 sha512
 group 2 5 14 15 16
!
crypto ikev2 policy gcp-ikev2-policy-1
 match fvrf any
 proposal gcp-ikev2-proposal-1
!
crypto ikev2 profile gcp-ikev2-profile-1
 match identity remote address gcp.gcp.gcp.gcp 255.255.255.255
 identity local address me.me.me.me
 authentication remote pre-share key xxxxxxxxxxxx
 authentication local pre-share key xxxxxxxxxxxx
 lifetime 10800
!
crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile gcp-ipsec-profile-1
 set transform-set gcp-tset-1
 set pfs group14
 set ikev2-profile gcp-ikev2-profile-1
!
interface Tunnel0
 ip address 169.254.0.2 255.255.255.252
 tunnel source me.me.me.me
 tunnel mode ipsec ipv4
 tunnel destination gcp.gcp.gcp.gcp
 tunnel protection ipsec profile gcp-ipsec-profile-1
!
===================

And then configure BGP or maybe static routes as required.

After adding in the Tunnel0 interface config it just started working
straight away. So I guess my config was right all along, its just some
other aspect of IPSEC that wasnt happy with something missing... Yay
misleading debug output. :-/

Hope that helps someone else.

Tom

On 28 September 2016 at 11:18, Tom Storey <tom at snnap.net> wrote:

> Hey everyone.
>
> Has anyone ever deployed a VPN to a Google Cloud "Cloud Router",
> specifically with BGP from an IOS based router (887 in my case)?
>
> Do you have a config you can share, or perhaps some time to spare to help
> me through this?
>
> I seem to be hitting a brick wall, the basic issue is that even though the
> VPN light is coming on on the front of my router, it seems to be failing to
> select a proposal even though Ive configured a proposal that should match
> GCP requirements.
>
> There is very little on the ground in the way of examples except a
> document explaining how to do it on an ASA, which Ive tried translating to
> IOS seemingly without any luck. Its probably really easy, Ive just not done
> a heck of a lot with IPSEC so I dont know what Im doing wrong or what
> obvious things Im missing.
>
> The error reported in the GCP console is:
>
> "Negotiation failed. Encryption, integrity, Diffie-Hellman, and PFS
> parameters on the remote peer must match Compute Engine requirements."
>
> In my debugs I see:
>
> Sep 28 09:33:07.601: IKEv2:IPSec policy validate request sent for profile
> gcp-profile-1 with psh index 2.
>
> Sep 28 09:33:07.601: IKEv2:(SESSION ID = 29646,SA ID = 2):
> Sep 28 09:33:07.601: IKEv2:(SA ID = 2):[IPsec -> IKEv2] Callback received
> for the validate proposal - FAILED.
>
> Sep 28 09:33:07.601: IKEv2:(SESSION ID = 29646,SA ID = 2):Received
> Policies: : Failed to find a matching policyESP: Proposal 1:  AES-GCM-128
> Unknown - 19 Unknown - 18 AES-CBC-128 AES-CBC-256 AES-CBC-192 SHA96
> DH_GROUP_2048_MODP/Group 14 Unknown - 23 DH_GROUP_2048_256_MODP/Group 24
> DH_GROUP_1536_MODP/Group 5 DH_GROUP_3072_MODP/Group 15
> DH_GROUP_4096_MODP/Group 16 Unknown - 18 DH_GROUP_1024_MODP/Group 2 Unknown
> - 22 Don't use ESN
> Sep 28 09:33:07.605:
> Sep 28 09:33:07.605:
> Sep 28 09:33:07.605: IKEv2:(SESSION ID = 29646,SA ID = 2):Expected
> Policies: : Failed to find a matching policy
> Sep 28 09:33:07.605: IKEv2:(SESSION ID = 29646,SA ID = 2):: Failed to find
> a matching policy
> Sep 28 09:33:07.605: IKEv2:(SESSION ID = 29646,SA ID = 2):Sending no
> proposal chosen notify
>
> And my config so far looks like:
>
> crypto ikev2 proposal gcp-proposal-1
>  encryption aes-cbc-128 aes-cbc-192 aes-cbc-256
>  integrity sha1 sha256 sha384 sha512
>  group 2 5 14 15 16 24
> !
> crypto ikev2 policy gcp-policy-1
>  proposal gcp-proposal-1
> !
> crypto ikev2 profile gcp-profile-1
>  match identity remote address x.x.x.x 255.255.255.255
>  identity local address y.y.y.y
>  authentication remote pre-share key xxxxxxxxxxxxxxxxxx
>  authentication local pre-share key xxxxxxxxxxxxxxxxxx
>  lifetime 10800
> !
> crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac
>  mode tunnel
> !
> crypto map ipsec-vpns-1 2 ipsec-isakmp
>  set peer x.x.x.x
>  set transform-set gcp-tset-1
>  set pfs group2
>  set ikev2-profile gcp-profile-1
>  match address gcp-nets
> !
>
> Which as far as I can tell matches the requirements listed here:
> https://cloud.google.com/compute/docs/vpn/advanced
>
> ASA document that I tried to translate from: https://cloud.google.
> com/files/CloudVPNGuide-UsingCloudVPNwithCiscoASA.pdf
>
> Been trying all kinds of different combinations and settings, but I feel
> like Im stabbing in the dark here at the moment, and Im getting confused
> about the mixing of policy and proposal mentioned in the debug...
>
> Thanks!
> Tom
>

More information about the cisco-nsp mailing list