0

As per the google docs we have configured cisco ASA FTD vpn tunnel with supported phase 1 phase 2 ciphers but connection not established . Status is "Initial Handshake "

In logs we could see phase 1 DH group mismatch from cisco end .

Ciphers which we used to configure tunnel - > https://cloud.google.com/vpn/docs/concepts/supported-ike-ciphers#ikev1-ciphers

Google promises they use above ciphers when we select IKEv1 but why it is not connecting & why we are getting DH group mismatch error in logs . All the necessary VPN ports are open from both the ends .

Any help would be appreciated .

Deena
  • 11
  • 1

2 Answers2

1

Since the CISCO device is behind the NAT , Hence CISCO VPN gateway must identify itself using the same public IP address of the NAT device .

Here Google cloud VPN is meeting RFC7815 compliance but CISCO ASA FTD isn't RFC7815 compliance . Due to that setting a device identity to an IP address different from the one the device is using (its internal address) is not supported in this specific device CISCO ASA FTD .

Thanks everyone .

Deena
  • 11
  • 1
0

I think you should consider move to the IKEv2, that it offers more options for ciphers.

Let me share some links that might help you with the issue.

Google has a several guides for VPN configuration per some vendors.

Guides by vendors

Also, you can check these links for VPN issues troubleshooting

Troubleshooting for Cloud VPN

If you are behind a NAT in your on-prem, try with this guide:

Gateway behindNAT.

All the best.

Agustin E.
  • 56
  • 4