Solved: Re: IPSec between ASA and GCloud

admins0011111 · ‎04-04-2019

Hi folks,

I have issue with IPSec tunnels between my Cisco ASAs and Google Cloud. I tried on different ASA and different GCloud regions.

I was making a tunnel with ikev1 like that:

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite

access-list outside_cryptomap_5 extended permit ip 172.16.0.0 255.255.240.0 10.168.0.0 255.255.240.0 

crypto map outside_map1 5 match address outside_cryptomap_5
crypto map outside_map1 5 set pfs 
crypto map outside_map1 5 set peer X.X.X.X
crypto map outside_map1 5 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map1 interface outside

crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

But after a while the tunnel pours with:

Group =X.X.X.X, Username =X.X.X.X, IP =X.X.X.X, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
Group =X.X.X.X, IP =X.X.X.X, Removing peer from correlator table failed, no match!
Group =X.X.X.X, IP =X.X.X.X, QM FSM error (P2 struct &0x00002aaacb89dc60, mess id 0xb6e79c3c)!
Group =X.X.X.X, IP =X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

If from my side to ping any internal IP in GCloud the tunnel rises.

Can anybody help with it? maybe someone already came across

Rahul Govindan · ‎04-05-2019

Looks like you have set up Route based VPN on your GCP. This negotiates 0.0.0.0/0.0.0.0 as local an remote proxies. I see that GCP has an option for policy based VPN:

Policy based routing
With this routing option, you specify remote network IP ranges and local subnets when creating the Cloud VPN tunnel. From the perspective of Cloud VPN, the remote network IP ranges are the “right side,” and the local subnets are the “left side” of the VPN tunnel. GCP automatically creates static routes for each of the remote network ranges when the tunnel is created. When creating the corresponding tunnel at the on-premises VPN gateway, the right and left side ranges are reversed.

https://cloud.google.com/vpn/docs/concepts/overview

Is this something you can change to on the GCP side?

https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

View solution in original post

Rahul Govindan · ‎04-05-2019

Looks like you have set up Route based VPN on your GCP. This negotiates 0.0.0.0/0.0.0.0 as local an remote proxies. I see that GCP has an option for policy based VPN:

Policy based routing
With this routing option, you specify remote network IP ranges and local subnets when creating the Cloud VPN tunnel. From the perspective of Cloud VPN, the remote network IP ranges are the “right side,” and the local subnets are the “left side” of the VPN tunnel. GCP automatically creates static routes for each of the remote network ranges when the tunnel is created. When creating the corresponding tunnel at the on-premises VPN gateway, the right and left side ranges are reversed.

https://cloud.google.com/vpn/docs/concepts/overview

Is this something you can change to on the GCP side?

https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

admins0011111 · ‎04-07-2019

I will try today and answer you about the results

admins0011111 · ‎04-08-2019

It seems that policy has helped! Thank you for advise!