VPN setup with Google Cloud

RouterOS General
1

Hello,

Im trying to setup a VPN with a Google Cloud instance. This has been driving me crazy :frowning:

Here’s my config

# feb/07/2017 20:33:33 by RouterOS 6.38.1
# software id = 2BF6-249A
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5,null enc-algorithms="aes-256-cbc,aes-256-ctr,camellia-256,aes-192-cbc,aes-\
    192-ctr,camellia-192,aes-128-cbc,aes-128-ctr,camellia-128,3des,blowfish,twofish,des,null"
/ip ipsec peer
add address=104.x.x.x/32 enc-algorithm=aes-256,camellia-256,aes-192,camellia-192,aes-128,camellia-128,3des,blowfish,des \
    exchange-mode=ike2 secret=secret
/ip ipsec policy
add dst-address=172.16.0.0/16 sa-dst-address=104.x.x.x sa-src-address=71.x.x.x src-address=10.128.0.0/16 tunnel=yes

This is the logs:

feb/07 20:31:17 ipsec payload seen: SA
feb/07 20:31:17 ipsec payload seen: NONCE
feb/07 20:31:17 ipsec payload seen: KE
feb/07 20:31:17 ipsec payload seen: TS_I
feb/07 20:31:17 ipsec payload seen: TS_R
feb/07 20:31:17 ipsec create child: respond
feb/07 20:31:17 ipsec processing payload: NONCE
feb/07 20:31:17 ipsec processing payloads: NOTIFY (none found)
feb/07 20:31:17 ipsec processing payloads: NOTIFY (none found)
feb/07 20:31:17 ipsec peer wants tunnel mode
feb/07 20:31:17 ipsec processing payload: CONFIG (not found)
feb/07 20:31:17 ipsec processing payload: TS_I
feb/07 20:31:17 ipsec 10.128.0.0/16
feb/07 20:31:17 ipsec processing payload: TS_R
feb/07 20:31:17 ipsec 172.16.0.0/16
feb/07 20:31:17 ipsec processing payload: SA
feb/07 20:31:17 ipsec,debug unknown enc: 19
feb/07 20:31:17 ipsec,debug unknown enc: 18
feb/07 20:31:17 ipsec,debug unknown dh: 23
feb/07 20:31:17 ipsec,debug unknown dh: 24
feb/07 20:31:17 ipsec,debug unknown dh: 22
feb/07 20:31:17 ipsec IKE Protocol: ESP
feb/07 20:31:17 ipsec  proposal #1
feb/07 20:31:17 ipsec   enc: aes128-gcm
feb/07 20:31:17 ipsec   enc: unknown
feb/07 20:31:17 ipsec   enc: unknown
feb/07 20:31:17 ipsec   enc: aes128-cbc
feb/07 20:31:17 ipsec   enc: aes256-cbc
feb/07 20:31:17 ipsec   enc: aes192-cbc
feb/07 20:31:17 ipsec   auth: sha1
feb/07 20:31:17 ipsec   dh: modp2048
feb/07 20:31:17 ipsec   dh: unknown
feb/07 20:31:17 ipsec   dh: unknown
feb/07 20:31:17 ipsec   dh: modp1536
feb/07 20:31:17 ipsec   dh: modp3072
feb/07 20:31:17 ipsec   dh: modp4096
feb/07 20:31:17 ipsec   dh: modp8192
feb/07 20:31:17 ipsec   dh: modp1024
feb/07 20:31:17 ipsec   dh: unknown
feb/07 20:31:17 ipsec   esn: off
feb/07 20:31:17 ipsec searching for policy
feb/07 20:31:17 ipsec policy not found
feb/07 20:31:17 ipsec,error no policy found/generated
feb/07 20:31:17 ipsec adding payload: NOTIFY
feb/07 20:31:17 ipsec   notify: TS_UNACCEPTABLE
feb/07 20:31:17 ipsec,debug,packet => outgoing plain packet (size 0x24)
feb/07 20:31:17 ipsec,debug,packet 507d4992 8c08526c 3e96139a 4b2e6a69 29202428 00000035 00000024 00000008
feb/07 20:31:17 ipsec,debug,packet 00000026
feb/07 20:31:17 ipsec adding payload: ENC
feb/07 20:31:17 ipsec,debug => (size 0x100)
feb/07 20:31:17 ipsec,debug 29000100 6d1657a5 2b115d70 a7f0f05a e4ad9315 7e29b2a7 555a80dd b9df8bfa
feb/07 20:31:17 ipsec,debug dc6613da 2233d844 3eee45e8 b3ecab11 d61072fe aff55853 2a03197d 18c712b6
feb/07 20:31:17 ipsec,debug 82be403d fd0362aa 6349bcb3 7d7aea64 9846a524 51899022 98c49eda 53ff3b68
feb/07 20:31:17 ipsec,debug 9bd27b35 d61752cc ae7ef374 293d7d9b 069d4cea 103e0e37 6d4accf6 1fa3171b
feb/07 20:31:17 ipsec,debug e15421d6 f7d1a11e c89e5416 147daeac 534cad2e b96e8ae0 74a4d9b6 6329c09a
feb/07 20:31:17 ipsec,debug 18f69759 fd08c889 a9183d57 59ebb1b8 2c676af8 a0603bf0 f09e8b86 6597a24f
feb/07 20:31:17 ipsec,debug bb628e70 721c8fa6 8083d942 dcc439f6 cccc305e bbc15c60 ac513aa3 ba4d2ab4
feb/07 20:31:17 ipsec,debug 6d9680c3 d6535cb7 acdd64f2 ca604bc0 b9cbe324 10000000 2430d476 2430d476
feb/07 20:31:17 ipsec,debug ===== sending 284 bytes from 71.x.x.x[4500] to 104.x.x.x[4500]
feb/07 20:31:17 ipsec,debug 1 times of 288 bytes message will be sent to 104.x.x.x[4500]
feb/07 20:31:17 ipsec,debug,packet 507d4992 8c08526c 3e96139a 4b2e6a69 2e202428 00000035 0000011c 29000100
feb/07 20:31:17 ipsec,debug,packet 6d1657a5 2b115d70 a7f0f05a e4ad9315 7e29b2a7 555a80dd b9df8bfa dc6613da
feb/07 20:31:17 ipsec,debug,packet 2233d844 3eee45e8 b3ecab11 d61072fe aff55853 2a03197d 18c712b6 82be403d
feb/07 20:31:17 ipsec,debug,packet fd0362aa 6349bcb3 7d7aea64 9846a524 51899022 98c49eda 53ff3b68 9bd27b35
feb/07 20:31:17 ipsec,debug,packet d61752cc ae7ef374 293d7d9b 069d4cea 103e0e37 6d4accf6 1fa3171b e15421d6
feb/07 20:31:17 ipsec,debug,packet f7d1a11e c89e5416 147daeac 534cad2e b96e8ae0 74a4d9b6 6329c09a 18f69759
feb/07 20:31:17 ipsec,debug,packet fd08c889 a9183d57 59ebb1b8 2c676af8 a0603bf0 f09e8b86 6597a24f bb628e70
feb/07 20:31:17 ipsec,debug,packet 721c8fa6 8083d942 dcc439f6 cccc305e bbc15c60 ac513aa3 ba4d2ab4 6d9680c3
feb/07 20:31:17 ipsec,debug,packet d6535cb7 acdd64f2 ca604bc0 b9cbe324 d49efa29 63088e51 0c59701f

I’m lost for ideas. Is there something wrong with my policy?

Thanks for any tips/pointers.

Google Cloud IPSec VPN
2

Your policy must match at both ends

This is what 30 seconds of googling got me https://cloud.google.com/compute/docs/vpn/advanced

You seem to have a lot of unnecessary/unsupported auth algorithms in your config

3

Ah thanks - I missed this documentation, I used the internal links in the cloud console that took me to the overview (https://cloud.google.com/compute/docs/vpn/overview) only, didn’t see the advanced link. I enabled almost every auth algorithm in hope this was the issue (but it didnt help).

I’ll better align my auth options and see if this improves things. Thanks for pointing this out

GCP VPN On Mikrotik
4

Hmm, I think I’m closer. But something is still missing :confused: These are the logs from my router:

14:05:51 ipsec payload seen: SA 
14:05:51 ipsec payload seen: NONCE 
14:05:51 ipsec payload seen: KE 
14:05:51 ipsec payload seen: TS_I 
14:05:51 ipsec payload seen: TS_R 
14:05:51 ipsec create child: respond 
14:05:51 ipsec processing payload: NONCE 
14:05:51 ipsec processing payloads: NOTIFY (none found) 
14:05:51 ipsec processing payloads: NOTIFY (none found) 
14:05:51 ipsec peer wants tunnel mode 
14:05:51 ipsec processing payload: CONFIG (not found) 
14:05:51 ipsec processing payload: TS_I 
14:05:51 ipsec 10.128.0.0/16 
14:05:51 ipsec processing payload: TS_R 
14:05:51 ipsec 172.16.0.0/16 
14:05:51 ipsec processing payload: SA 
14:05:51 ipsec,debug unknown enc: 19 
14:05:51 ipsec,debug unknown enc: 18 
14:05:51 ipsec,debug unknown dh: 23 
14:05:51 ipsec,debug unknown dh: 24 
14:05:51 ipsec,debug unknown dh: 22 
14:05:51 ipsec IKE Protocol: ESP 
14:05:51 ipsec  proposal #1 
14:05:51 ipsec   enc: aes128-gcm 
14:05:51 ipsec   enc: unknown 
14:05:51 ipsec   enc: unknown 
14:05:51 ipsec   enc: aes128-cbc 
14:05:51 ipsec   enc: aes256-cbc 
14:05:51 ipsec   enc: aes192-cbc 
14:05:51 ipsec   auth: sha1 
14:05:51 ipsec   dh: modp2048 
14:05:51 ipsec   dh: unknown 
14:05:51 ipsec   dh: unknown 
14:05:51 ipsec   dh: modp1536 
14:05:51 ipsec   dh: modp3072 
14:05:51 ipsec   dh: modp4096 
14:05:51 ipsec   dh: modp8192 
14:05:51 ipsec   dh: modp1024 
14:05:51 ipsec   dh: unknown 
14:05:51 ipsec   esn: off 
14:05:51 ipsec searching for policy 
14:05:51 ipsec policy not found 
14:05:51 ipsec,error no policy found/generated 
14:05:51 ipsec adding payload: NOTIFY 
14:05:51 ipsec   notify: TS_UNACCEPTABLE

My ipsec proposal looks like this:
0 * name=“default” auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=3h pfs-group=modp1024

As far as I can tell, I have a matching auth-algorithms, some of the enc-algorithms and a matchine pfs-group. Yet it wont connect. Is there any other logging I should look at beyond debug? Or any other ideas?

5

Ahhh fixed. I had my src/destinations mixed up! GCE (google compute engine) logs helped me see that :slight_smile:

For anyone else who might use this in future, here’s my setup:
policy:
add dst-address={gce 1918} sa-dst-address={gce public} sa-src-address={my public} src-address={my 1918} tunnel=yes
peer:
add address={gce public} enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=ike2 hash-algorithm=sha512 secret=secret


Thats all you need. Thanks.