Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3775
Views
5
Helpful
3
Replies

IPSec between ASA and GCloud

Go to solution
admins0011111
Level 1
Level 1

‎04-04-2019 10:25 PM - edited ‎02-21-2020 09:36 PM

Hi folks,

I have issue with IPSec tunnels between my Cisco ASAs and Google Cloud. I tried on different ASA and different GCloud regions.

I was making a tunnel with ikev1 like that:

 
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite

access-list outside_cryptomap_5 extended permit ip 172.16.0.0 255.255.240.0 10.168.0.0 255.255.240.0 

crypto map outside_map1 5 match address outside_cryptomap_5
crypto map outside_map1 5 set pfs 
crypto map outside_map1 5 set peer X.X.X.X
crypto map outside_map1 5 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map1 interface outside

crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
But after a while the tunnel pours with:

 

Group =X.X.X.X, Username =X.X.X.X, IP =X.X.X.X, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
Group =X.X.X.X, IP =X.X.X.X, Removing peer from correlator table failed, no match!
Group =X.X.X.X, IP =X.X.X.X, QM FSM error (P2 struct &0x00002aaacb89dc60, mess id 0xb6e79c3c)!
Group =X.X.X.X, IP =X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

 

 

If from my side to ping any internal IP in GCloud the tunnel rises.

Can anybody help with it? maybe someone already came across

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-05-2019 05:50 AM

Looks like you have set up Route based VPN on your GCP. This negotiates 0.0.0.0/0.0.0.0 as local an remote proxies. I see that GCP has an option for policy based VPN:

 

Policy based routing
With this routing option, you specify remote network IP ranges and local subnets when creating the Cloud VPN tunnel. From the perspective of Cloud VPN, the remote network IP ranges are the “right side,” and the local subnets are the “left side” of the VPN tunnel. GCP automatically creates static routes for each of the remote network ranges when the tunnel is created. When creating the corresponding tunnel at the on-premises VPN gateway, the right and left side ranges are reversed.

https://cloud.google.com/vpn/docs/concepts/overview

 

Is this something you can change to on the GCP side?

https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

View solution in original post

3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-05-2019 05:50 AM

Looks like you have set up Route based VPN on your GCP. This negotiates 0.0.0.0/0.0.0.0 as local an remote proxies. I see that GCP has an option for policy based VPN:

 

Policy based routing
With this routing option, you specify remote network IP ranges and local subnets when creating the Cloud VPN tunnel. From the perspective of Cloud VPN, the remote network IP ranges are the “right side,” and the local subnets are the “left side” of the VPN tunnel. GCP automatically creates static routes for each of the remote network ranges when the tunnel is created. When creating the corresponding tunnel at the on-premises VPN gateway, the right and left side ranges are reversed.

https://cloud.google.com/vpn/docs/concepts/overview

 

Is this something you can change to on the GCP side?

https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

Go to solution
admins0011111
Level 1
Level 1
In response to Rahul Govindan

‎04-07-2019 09:45 PM

I will try today and answer you about the results
0 Helpful

Go to solution
admins0011111
Level 1
Level 1
In response to admins0011111

‎04-08-2019 09:36 PM

It seems that policy has helped! Thank you for advise!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents