VyOS to connect to GCP - IPsec tunnel carrying multiple discontiguous subnets?

VirtualShmirtual · January 25, 2017, 11:26am

Hi,

We have a working VPN to Google GCP that looks like this:

vpn { ipsec { auto-update 60 esp-group gcp-esp { compression disable lifetime 10800 mode tunnel pfs enable proposal 1 { encryption aes256 hash sha1 } } ike-group gcp-ike { dead-peer-detection { action restart interval 30 timeout 60 } ikev2-reauth no key-exchange ikev2 lifetime 36000 mobike enable proposal 1 { dh-group 14 encryption aes256 hash sha1 } } ipsec-interfaces { interface eth0 } nat-traversal enable site-to-site { peer xxxxx.tld { authentication { id xxx.xxx.32.21 mode pre-shared-secret pre-shared-secret **************** } connection-type initiate description notadescriptionanymore ike-group gcp-ike ikev2-reauth no local-address xxx.xxx.4.10 tunnel 0 { allow-nat-networks disable allow-public-networks disable esp-group gcp-esp local { prefix xxx.xxx.0.0/16 } remote { prefix xxx.xxx.0.0/19 } } } } } }

This works fine. However, in actual fact we do not have a remote /19 - we have 2 remote /24s that are discontiguous. The only way we could get it to work is as above.

The below is what I want to do, but it doesn’t work.

vpn { ipsec { auto-update 60 esp-group gcp-esp { compression disable lifetime 10800 mode tunnel pfs enable proposal 1 { encryption aes256 hash sha1 } } ike-group gcp-ike { dead-peer-detection { action restart interval 30 timeout 60 } ikev2-reauth no key-exchange ikev2 lifetime 36000 mobike enable proposal 1 { dh-group 14 encryption aes256 hash sha1 } } ipsec-interfaces { interface eth0 } nat-traversal enable site-to-site { peer xxxxx.tld { authentication { id xxx.xxx.32.21 mode pre-shared-secret pre-shared-secret **************** } connection-type initiate description notadescriptionanymore ike-group gcp-ike ikev2-reauth no local-address xxx.xxx.4.10 tunnel 0 { allow-nat-networks disable allow-public-networks disable esp-group gcp-esp local { prefix xxx.xxx.0.0/16 } remote { prefix xxx.xxx.0.0/24 } } tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group gcp-esp local { prefix xxx.xxx.0.0/16 } remote { prefix xxx.xxx.2.0/24 } } } } } }

With the above, only one of the tunnels works at any time. Any help appreciated!

16again · January 28, 2017, 10:09am

As I read Advanced configurations | Cloud VPN | Google Cloud , when using ikev2, google will try to put 2 subnet definitions into a single sa, whereas you’re configuring 2 SAs.

VirtualShmirtual · January 30, 2017, 11:54am

Hi,

Thanks for replying.

Yes, you’re exactly right I believe. Unfortunately the VyOS doesn’t seem to support multiple subnets in a single SA. We also tried setting up 2 separate ipsec endpoints at the GCP end, but although the tunnels come up the routing instance in GCP sees them both as ECMP paths back to the far end so it doesn’t work.

16again · January 31, 2017, 6:23pm

Can you step back to ikev1 on GCP side?

VirtualShmirtual · February 2, 2017, 8:40am

I did try to. It was a while ago so I don’t have the records of exactly what I tried, but I hit a different blocker. IIRC it was that since you end up with 2 peers at the GCP end, you hit the same ECMP issue. I will try to find the time to set up the IKEv1 environment again so I can capture more detail.

VirtualShmirtual · February 3, 2017, 9:08am

I built a Juniper vSRX trial in place of the VyOS and it all works fine (multiple subnets, single tunnel), so at the moment I’m working on the assumption that this is simply something VyOS can’t do at the moment.