Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
2
Replies

GCP VPN Tunnel to Cisco ASR 3945 don't bypassing traffic

balabany
Level 1
Level 1

‎11-12-2021 01:52 AM

Hello,

 

I have VPN tunnel from GCP to CISCO ASR 3945. GCP shows me that tunnel is up and running, however doesn't bypass traffic. In GCP logs it shows me the following: "CHILD_SA vpn_91.151.129.245{43} established with SPIs ec90612b_i e16cd384_o and TS 10.128.0.0/20 === 91.151.128.64/32"

I am connected with IKE2v key, tried both Route-Based and Policy-Based connection.

Also, I have observed while adding tunnel in GCP if I type while it is loading "Telnet" command it is connecting to the host, however tunnel adding is finished, it shows me that "Host refused to connect", basically in my understanding as the tunnel has a final setup, CISCO side is closing and not allowing me to connect, while loading I can quickly connect with telnet. Kind of I have a window gap to do so while setup of tunnel is in the process.

I would be more than happy if you help me how to resolve this issue.

 

Could you please give me some ideas how to fix this.

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎11-12-2021 01:59 AM

@balabany please can you provide the output of "show crypto ikev2 sa" and "show crypto ipsec sa" from the Cisco router, this will determine if the VPN is up and passing traffic.

0 Helpful

balabany
Level 1
Level 1
In response to Rob Ingram

‎11-12-2021 03:01 AM

@Rob Ingram Thank you for your quick reply.

 

VPN#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
2 91.151.129.245/500 35.224.9.46/500 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/6060 sec

VPN#show crypto ipsec sa peer 35.224.9.46

interface: Tunnel175
Crypto map tag: Tunnel175-head-0, local addr 91.151.129.245

protected vrf: (none)
local ident (addr/mask/prot/port): (91.151.128.64/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.128.0.0/255.255.240.0/0/0)
current_peer 35.224.9.46 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 91.151.129.245, remote crypto endpt.: 35.224.9.46
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x3B60D1F0(996200944)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0xDA262A2A(3659934250)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 3725, flow_id: Onboard VPN:3725, sibling_flags 80000040, crypto map: Tunnel175-head-0
sa timing: remaining key lifetime (k/sec): (4608000/22828)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x9A884010(2592620560)

0 Helpful
Customers Also Viewed These Support Documents