[strongSwan] VPN Confusion b/w GCP and Client Cisco ASA, They Required public IP on GCE
Muhammad Yousuf Khan
sirtcp at gmail.com
Wed Mar 15 07:37:46 CET 2017
Hi,
We are working on a project where we need a Ipsec vpn tunnel b/w our client
to our Virtual private Cloud hosted at google. Due to our client strict
policy our clients want a setup where our GCE and VPN instance both must
have public IP address. They do not allow us to have GCE on Private IP.
(Reason is to avoid conflict of same subnet with other clients). moreover
the client end has ASA 5500 cisco firewall.
Google Cloud (till today) is not supporting such feature, however Google
support has suggested us to install strongswan on the GCE Server it self
where the application is hosted. the point of confusion are.
1- which port forwarding rules should we apply on Google cloud firewall
that allow strongswan to work properly?
2. with reference to the document here.
http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
left=172.16.10.2 #strongswan outside address
leftsubnet=192.168.2.0/24 #network behind strongswan
leftid=172.16.10.2 #IKEID sent by strongswan
leftfirewall=yes
right=172.16.10.1 #IOS outside address
rightsubnet=192.168.1.0/24 #network behind IOS
rightid=172.16.10.1 #IKEID sent by IOS
auto=add
ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5
esp=aes128-sha1 #P2
as you can see left is strongswan outside IP and leftsubnet is the local
LAN behind strongswan. now in my case what should i type in "leftsubnet"
when there is no any subnet behind strongswan GCE really exist?
Any suggestion will be highly appreciated.
Thanks,
Yousuf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170315/c5faf6a0/attachment.html>
More information about the Users
mailing list