Wednesday, March 25, 2020

IPSec VPN Google cloud and Cisco ASA

IPSec VPN Google cloud and Cisco ASA with IKE1 Policy Based

Google VPN Uses below ciphers for IKEv1

Phase 1
Cipher role          Cipher
Encryption          AES-CBC-128
Integrity               HMAC-SHA1-96
Pseudo-Random Function (PRF) PRF-SHA1-96
Diffie-Hellman (DH)         modp_1024 (Group 2)
Phase 1 lifetime 36,600 seconds

Phase 2
Cipher role          Cipher
Encryption          AES-CBC-128
Integrity               HMAC-SHA1-96
PFS Algorithm (required)              modp_1024 (Group 2)
Diffie-Hellman (DH)         If you need to specify DH for your VPN gateway, use the same setting that you used for Phase 1.
Phase 2 lifetime 10,800 seconds

Go to Networking Hybrid Connectivity and click VPN


Configure Your Tunnel Configuration


On Cisco Side

crypto isakmp policy 200
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 36600

object-group network GCP_NETWORK

access-list outside_cryptomap line 1 extended permit ip object-group GCP_NETWORK

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
        pre-shared-key **********
         isakmp keepalive threshold 10 retry 2

crypto ipsec transform-set GCP-TRN esp-aes esp-sha-hmac
crypto map GCP-VPN 1 match address outside_cryptomap
crypto map GCP-VPN 1 set  peer
crypto map GCP-VPN 1 set  transform-set  GCP-TRN

nat (inside,outside) 16 source static NETWORK_192.168.0.0_16 NETWORK_192.168.0.0_16 destination static GCP_NETWORK GCP_NETWORK

crypto map GCP-VPN interface outside


1 comment: