I hope you guys can help me with something that drives me crazy.
On this page, Google says the protocols and cipher they accept to establish the VPN connection: https://cloud.google.com/network-connectivity/docs/vpn/concepts/supported-ike-ciphers
We are configuring the VPN tunnel on the Cisco device as Google says.
For some reason, I don't know yet, the VPN tunnel CONNECT, but immediately CLOSED with and unexpected error:
Handshake with peer broken for unknown reason. Trying again soon.
In logs I can see the debug info received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
The TFC packing is allowed on the Cisco device.
I don't know is that problem is on GCP side or Cisco side.
GCP logs:
"parsed INFORMATIONAL_V1 request 2632036216 [ HASH N(DPD_ACK) ]",
"received packet: from ***.***.***.***[500] to ***.***.***.***[500] (566 bytes)",
"parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]",
"received Cisco Delete Reason vendor ID",
"received Cisco Copyright (c) 2009 vendor ID",
"received FRAGMENTATION vendor ID",
"authentication of '***.***.***.***' (myself) with pre-shared key",
"establishing CHILD_SA vpn_***.***.***.***{1}",
"generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]",
"sending packet: from ***.***.***.***[500] to ***.***.***.***[500] (305 bytes)",
"received packet: from ***.***.***.***[500] to ***.***.***.***[500] (229 bytes)",
"parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]",
"authentication of '***.***.***.***' with pre-shared key successful",
"IKE_SA vpn_***.***.***.***[2394] established between ***.***.***.***[***.***.***.***]...***.***.***.***[***.***.***.***]",
"scheduling rekeying in 35523s",
"maximum IKE_SA lifetime 36123s",
"received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding",
"handling HA CHILD_SA vpn_***.***.***.***{2394} 10.***.***.***/24 === 10.***.***.***/27 (segment in: 1, out: 1)",
"CHILD_SA vpn_***.***.***.***{2394} established with SPIs 85f6c14e_i 8bbaa400_o and TS 10.***.***.***/24 === 10.***.***.***/27 ",
"received packet: from ***.***.***.***[500] to ***.***.***.***[500] (69 bytes)",
"received DELETE for ESP CHILD_SA with SPI 8bbaa400",
"closing CHILD_SA vpn_***.***.***.***{2394} with SPIs 85f6c14e_i (0 bytes) 8bbaa400_o (0 bytes) and TS 10.***.***.***/24 === 10.***.***.***/27 ",
"CHILD_SA closed",
Config on Cisco firepower
FirePower Cisco
Version: 2.6(1.167)
Configuración Fase 1
crypto ikev2 policy 50
encryption aes-gcm-256
integrity null
group 14
prf sha256
lifetime seconds 36000
Configuración Fase 2
crypto map VpnOutside 3 match address vpnXXX
crypto map VpnOutside 3 set pfs group14
crypto map VpnOutside 3 set peer ***.***.***.***
crypto map VpnOutside 3 set ikev2 ipsec-proposal AES-GCM-256
crypto map VpnOutside 3 set security-association lifetime seconds 10800
crypto map VpnOutside 3 set tfc-packets
tunnel-group ***.***.***.*** type ipsec-l2l
tunnel-group ***.***.***.*** ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ACL interesting traffic
access-list vpnXXX extended permit ip ***.***.***.*** 255.255.255.224 object-group XXX
object-group network XXX
network-object ***.***.***.*** 255.255.255.0
Have you any idea about that is the problem here?
I hope for help, thank you in advance. Bye
