S2S Issue Google Cloud VPN and Cisco ASA 5545

cisco-asagoogle-cloud-platformgoogle-cloud-vpnsite-to-site-vpn

I'm using Google Cloud VPN gateway and attempting to connect to a CISCO ASA 5545 device on a 3rd party premise. It's a static route setup and the Cisco router is using IKE v1 only.

I have this problem where from the logs, I could see connection is established, then it says scheduling rekeying immediately after, then received INVALID_ID_INFORMATION error notify, then received DELETE for IKE_SA vpn_[PEER IP] then deleting IKE_SA vpn_[PEER IP] between [VPN PUBLIC IP]…[PEER IP]. This continues to repeat in the log.

Obviously there are configuration mismathces; the on-premise client wants me to change the encryption to AES-256 or 3des because "the device does not support AES 128". Is it even possible to change the encryption for Google Cloud VPN once you've chosen to use IKEv1?

According to the documentation https://cloud.google.com/compute/docs/vpn/advanced, IKEv1 uses aes-cbc-128 encryption, is it possible to change that to aes-256? Is it possible to make the on-premise device work with aes-128?

Best Answer

Using static route and IKEv1 posed significant restrictions but that was what the 3rd party peer would support. The most significant being I could not use multi-cidr blocks and was limited to aes-128 for encryption.

After looking up some of the errors in the log, including INVALID_ID_INFORMATION, I found references that suggested the encryption on the ASA device was not matching. I looked this up in the manual and discovered there was aes as an option, which was really aes-128. Once this was resolved on the peer device, I got another INVALID HASH ID in the log.

Checking the status of the connection in gcloud turned out to be very useful https://cloud.google.com/compute/docs/vpn/creating-vpns. The UI gives little information in this regard:

gcloud compute --project [PROJECT_ID] vpn-tunnels describe tunnel1 --region us-central1

This gave the following useful output:

Please verify that the network range and the remote network IP ranges of the tunnel match the configured IP ranges on the peer device.

The last part was kind of easy; after matching the cidr blocks defined on the peer device in the cloud vpn tunnel's local-traffic selector, the tunnel came up.

So to answer some of the questions: is it possible to change the encryption setting on cloud vpn? No

Is it possible to make the on-premise Cisco 5545 device work with aes-128? Yes.

Related Topic