This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN to Google Compute Engine VPN - 2 networks under 1 Security Association?

I am having an issue connecting more than one network / CIDR block through our IPSec VPN to the Google Cloud Compute Engine VPN.

It seems as though both ends support this as there is the option in the UTM IPSec Connection - Local Networks allows for adding multiple networks. Same at Google - you can add multiple networks to the IPSec connection tunnel.

The site-to-site tunnel status shows [2 of 2 IPsec SAs established] but when the connection is made it only connects one of the networks.

From the Google page . . .

"Security Associations and multiple subnets"

"Compute Engine VPN creates a single child Security Association (SA)
announcing all CIDR blocks associated with the tunnel. Some peer devices
support this behavior, and some only support creating a unique child-SA
for each CIDR block. With these latter devices, tunnels with multiple
CIDR blocks may fail to establish. The suggested workaround is to create
multiple tunnels that each have only one configured CIDR block."

"All subnets connected to the same tunnel must use the same child-SA. If
different subnets do not have the same SA, they must be connected to
different tunnels."

So, it looks to me like Sophos handles the two CIDR blocks with 2 IPSec SA's and Google wants to handle two CIDR blocks with 1 IPSec SA.

Another issue is Google does not allow two tunnels to one IP Address - this means to route two networks at the office requires using two WAN interfaces. This is a big limitation as it requires another WAN interface to establish two tunnels. (which we need - one for the LAN and one for the SSL VPN network for remote workers.)

"Adding a tunnel to an existing gateway"

"Compute Engine VPN does not support multiple tunnels between the same two gateways. Additional tunnels must point to different gateways."

So, my question is - from the comments in quotes above from the Google page is there any way to have Sophos treat multiple networks under the IPSec connection as one SA?

Or as Google states is the UTM one of those devices that only support creating a unique child-SA for each CIDR block.

It appears as thought it is connecting one and then not attempting to establish the other.

I do for now have 2 tunnels established using both of our WAN connections but if I need to add another network it won't work and I would much prefer to be able to add multiple networks to one tunnel.

This thread was automatically locked due to age.

0 BAlfson over 9 years ago

Interesting! I imagine that this could be done at the command line, but my guess is that this would be a feature request for WebAdmin. You can have multiple tunnels on an interface - you just need Additional Addresses.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Service Informatique1 over 8 years ago in reply to BAlfson

Hi

I ran into the exact same issue today...

Bob is right you could add an additionnal address but still, it requires one public ip address per subnet you need to route into the tunnel.

Did someone have a chance to find out a solution here?

Cheers

Marc
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 8 years ago in reply to Service Informatique1

I'd like if this were changed as well.
Cancel
Vote Up 0 Vote Down

Cancel
0 Service Informatique1 over 8 years ago in reply to Service Informatique1

FYI I tried to use another additionnal address but you can't route an ipsec vpn through a specific ip. You get to choose which interface, not the ip.

Only option I found to connect 2 private networks to my GCP network is setting up 2 vpn using 1 SA each... It doubles the price for the private connection to your GCP projects!

M
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 8 years ago in reply to Service Informatique1

When they say another IP, it's the "additional addresses" you have setup on your UTM. It uses the same interface, but you're setting up another IPSEC VPN to the OTHER ip, like you have done
Cancel
Vote Up 0 Vote Down

Cancel
0 Service Informatique1 over 8 years ago in reply to rsenio

how can you setup another ipsec vpn to the other ip since you don't get to choose the ip but only the interface?
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 8 years ago in reply to Service Informatique1

I think you've got your thought process backwards. On the Ipsec connection on the UTM you are not specifying any IP but the Google Cloud Gateway

On the Google Cloud VPN Ipsec setting, you're specifying what IP it's connecting to

Only the google cloud vpn cares about what IP it's connecting to, remote peer address. In this case, another external IP of yours....which is on your WAN interface anyway
Cancel
Vote Up 0 Vote Down

Cancel
0 Service Informatique1 over 8 years ago in reply to rsenio

ok, I just tried that but unfortunately that's not working!

Log viewer in GCP shows that packets are coming into the UTM on the additional address but they are routed back to the primary address of the interface when going out of the UTM to GCP...
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 8 years ago in reply to Service Informatique1

Looks like the original poster has this working, perhaps he can comment. Unless he refers to to WAN connections as two physical WAN ports, in which case the only option is what you suggested, multiple VPN's using multiple SA's..all using your main external WAN IP

I currently only have one ipsec connection to GCP

When I attempted to creates another VPN to an 'additional' address the Ipsec log on the UTM shows

packet from "google cloud": initial Main Mode message received on "additional IP" but no connection has been authorized with policy=PSK

The second tunnel never does come up
Cancel
Vote Up 0 Vote Down

Cancel