Cisco Router VPN to Google Cloud (GCP)

Setting up Google Cloud end

From Hybrid connectivity, select VPN, then click Create VPN connection.

Select Classic VPN

Give the VPN a name, select the Network and Region for the gateway.

Select an External IP for the gateway or create a new one.

Enter the IP of the Cisco router, enter the pre-shared key, or generate a key.

Select Route-based and enter the local subnets

Click done and the VPN gateway will be completed.

Configuring Cisco Router

ESP and UDP port 500 needs to be open on the firewall.

Configure the IKEv2 tunnel

Create an IKEv2 keyring and add the pre-shared key.

crypto ikev2 keyring GCP
    peer GCP
    address 34.91.104.31
    pre-shared-key FSyf6mxuxafo0Vd5D0n4a9TC53aD6PuA

Create an IKEv2 Proposal and set the encryption and integrity algorithm, and DH group,

crypto ikev2 proposal GCP
    encryption aes-cbc-256
    integrity sha256
    group 14

Create an IKEv2 Policy and add the proposal.

crypto ikev2 policy GCP
    proposal GCP

Create an IKEv2 Profile.

crypto ikev2 profile GCP
    match identity remote address 34.91.104.31 255.255.255.255
    authentication remote pre-share
    authentication local pre-share
    keyring local GCP

Configure IPsec

Create an IPsec transform-set.

crypto ipsec transform-set GCP esp-aes 256 esp-sha256-hmac
    mode tunnel

Create an IPsec profile.

crypto ipsec profile GCP
    set transform-set GCP
    set pfs group14
    set ikev2-profile GCP

Configure a virtual tunnel interface

The tunnel needs to have an IP address assigned, this is not used by Google Cloud so any IP not in use can be used.

interface Tunnel1
    description VPN_TO_GCP
    ip address 172.31.255.250 255.255.255.255 !! Use anything
    ip mtu 1440
    ip tcp adjust-mss 1380
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile GCP
    tunnel destination 34.91.104.31
    tunnel source x.x.x.x !! Router public IP

Add static routes

Add static routes for Google Cloud subnets

ip route 10.164.0.0 255.255.240.0 Tunnel1