[c-nsp] VPN to Google Cloud, w/ BGP

Tom Storey tom at snnap.net
Wed Sep 28 06:18:15 EDT 2016 

Hey everyone.

Has anyone ever deployed a VPN to a Google Cloud "Cloud Router",
specifically with BGP from an IOS based router (887 in my case)?

Do you have a config you can share, or perhaps some time to spare to help
me through this?

I seem to be hitting a brick wall, the basic issue is that even though the
VPN light is coming on on the front of my router, it seems to be failing to
select a proposal even though Ive configured a proposal that should match
GCP requirements.

There is very little on the ground in the way of examples except a document
explaining how to do it on an ASA, which Ive tried translating to IOS
seemingly without any luck. Its probably really easy, Ive just not done a
heck of a lot with IPSEC so I dont know what Im doing wrong or what obvious
things Im missing.

The error reported in the GCP console is:

"Negotiation failed. Encryption, integrity, Diffie-Hellman, and PFS
parameters on the remote peer must match Compute Engine requirements."

In my debugs I see:

Sep 28 09:33:07.601: IKEv2:IPSec policy validate request sent for profile
gcp-profile-1 with psh index 2.

Sep 28 09:33:07.601: IKEv2:(SESSION ID = 29646,SA ID = 2):
Sep 28 09:33:07.601: IKEv2:(SA ID = 2):[IPsec -> IKEv2] Callback received
for the validate proposal - FAILED.

Sep 28 09:33:07.601: IKEv2:(SESSION ID = 29646,SA ID = 2):Received
Policies: : Failed to find a matching policyESP: Proposal 1:  AES-GCM-128
Unknown - 19 Unknown - 18 AES-CBC-128 AES-CBC-256 AES-CBC-192 SHA96
DH_GROUP_2048_MODP/Group 14 Unknown - 23 DH_GROUP_2048_256_MODP/Group 24
DH_GROUP_1536_MODP/Group 5 DH_GROUP_3072_MODP/Group 15
DH_GROUP_4096_MODP/Group 16 Unknown - 18 DH_GROUP_1024_MODP/Group 2 Unknown
- 22 Don't use ESN
Sep 28 09:33:07.605:
Sep 28 09:33:07.605:
Sep 28 09:33:07.605: IKEv2:(SESSION ID = 29646,SA ID = 2):Expected
Policies: : Failed to find a matching policy
Sep 28 09:33:07.605: IKEv2:(SESSION ID = 29646,SA ID = 2):: Failed to find
a matching policy
Sep 28 09:33:07.605: IKEv2:(SESSION ID = 29646,SA ID = 2):Sending no
proposal chosen notify

And my config so far looks like:

crypto ikev2 proposal gcp-proposal-1
 encryption aes-cbc-128 aes-cbc-192 aes-cbc-256
 integrity sha1 sha256 sha384 sha512
 group 2 5 14 15 16 24
!
crypto ikev2 policy gcp-policy-1
 proposal gcp-proposal-1
!
crypto ikev2 profile gcp-profile-1
 match identity remote address x.x.x.x 255.255.255.255
 identity local address y.y.y.y
 authentication remote pre-share key xxxxxxxxxxxxxxxxxx
 authentication local pre-share key xxxxxxxxxxxxxxxxxx
 lifetime 10800
!
crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac
 mode tunnel
!
crypto map ipsec-vpns-1 2 ipsec-isakmp
 set peer x.x.x.x
 set transform-set gcp-tset-1
 set pfs group2
 set ikev2-profile gcp-profile-1
 match address gcp-nets
!

Which as far as I can tell matches the requirements listed here:
https://cloud.google.com/compute/docs/vpn/advanced

ASA document that I tried to translate from:
https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithCiscoASA.pdf

Been trying all kinds of different combinations and settings, but I feel
like Im stabbing in the dark here at the moment, and Im getting confused
about the mixing of policy and proposal mentioned in the debug...

Thanks!
Tom

More information about the cisco-nsp mailing list