Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 8956 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN to Google Compute Engine VPN - 2 networks under 1 Security Association?

ScottStarbuck
I am having an issue connecting more than one network / CIDR block through our IPSec VPN to the Google Cloud Compute Engine VPN.

It seems as though both ends support this as there is the option in the UTM IPSec Connection - Local Networks allows for adding multiple networks. Same at Google - you can add multiple networks to the IPSec connection tunnel.

The site-to-site tunnel status shows [2 of 2 IPsec SAs established] but when the connection is made it only connects one of the networks.

From the Google page . . .

"Security Associations and multiple subnets"

"Compute Engine VPN creates a single child Security Association (SA)
announcing all CIDR blocks associated with the tunnel. Some peer devices
support this behavior, and some only support creating a unique child-SA
for each CIDR block. With these latter devices, tunnels with multiple
CIDR blocks may fail to establish. The suggested workaround is to create
multiple tunnels that each have only one configured CIDR block."

"All subnets connected to the same tunnel must use the same child-SA. If
different subnets do not have the same SA, they must be connected to
different tunnels."

So, it looks to me like Sophos handles the two CIDR blocks with 2 IPSec SA's and Google wants to handle two CIDR blocks with 1 IPSec SA.

Another issue is Google does not allow two tunnels to one IP Address - this means to route two networks at the office requires using two WAN interfaces. This is a big limitation as it requires another WAN interface to establish two tunnels. (which we need - one for the LAN and one for the SSL VPN network for remote workers.)

"Adding a tunnel to an existing gateway"

"Compute Engine VPN does not support multiple tunnels between the same two gateways. Additional tunnels must point to different gateways."

So, my question is - from the comments in quotes above from the Google page is there any way to have Sophos treat multiple networks under the IPSec connection as one SA?

Or as Google states is the UTM one of those devices that only support creating a unique child-SA for each CIDR block.

It appears as thought it is connecting one and then not attempting to establish the other.

I do for now have 2 tunnels established using both of our WAN connections but if I need to add another network it won't work and I would much prefer to be able to add multiple networks to one tunnel.


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rsenio

    how can you setup another ipsec vpn to the other ip since you don't get to choose the ip but only the interface?

  • 0 in reply to Service Informatique1

    I think you've got your thought process backwards. On the Ipsec connection on the UTM you are not specifying any IP but the Google Cloud Gateway

    On the Google Cloud VPN Ipsec setting, you're specifying what IP it's connecting to

    Only the google cloud vpn cares about what IP it's connecting to, remote peer address. In this case, another external IP of yours....which is on your WAN interface anyway

  • 0 in reply to rsenio

    ok, I just tried that but unfortunately that's not working!

    Log viewer in GCP shows that packets are coming into the UTM on the additional address but they are routed back to the primary address of the interface when going out of the UTM to GCP...

  • 0 in reply to Service Informatique1

    Looks like the original poster has this working, perhaps he can comment. Unless he refers to to WAN connections as two physical WAN ports, in which case the only option is what you suggested, multiple VPN's using multiple SA's..all using your main external WAN IP

    I currently only have one ipsec connection to GCP

    When I attempted to creates another VPN to an 'additional' address the Ipsec log on the UTM shows
     
    packet from "google cloud": initial Main Mode message received on "additional IP" but no connection has been authorized with policy=PSK
     
    The second tunnel never does come up
     
Unfiltered HTML