I was able to follow this tutorial but had to make a few adjustments. The main one is to configure the public IP address in the IKEv2 profile (see step 3 below).
Remember of course that the router will need UDP ports 500 & 4500 forwarded by the firewall, which also must support ESP passthrough.
1) Configure a global IKEv2 proposal and policy.
crypto ikev2 proposal MY_IKEV2_PROPOSAL encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha512 sha384 sha256 group 24 16 14 ! crypto ikev2 policy MY_IKEV2_POLICY proposal MY_IKEV2_PROPOSAL
2) And add the peer to the keyring:
crypto ikev2 keyring MY_KEYRING peer gcp1 address 35.212.226.126 pre-shared-key abcdef1234567890
3) Create a custom IKEv2 profile. Note the highlighted public IP address and also the lifetime and DPD interval settings.
crypto ikev2 profile GCP_IKEV2_PROFILE match address local interface GigabitEthernet0 match identity remote address 0.0.0.0 ! If router is behind NAT, set this to the public IP identity local address 203.0.113.222 authentication remote pre-share authentication local pre-share keyring local MY_KEYRING lifetime 36000 ! 10 hour SA lifetime dpd 60 5 periodic ! 1 minute keepalives !
4) Configure a custom IPSec transform set and profile. This is 128-bit AES encryption with SHA-256 integrity:
! IPsec Settings crypto ipsec transform-set ESP_AES128_SHA256 esp-aes esp-sha256-hmac ! crypto ipsec profile GCP_IPSEC_PROFILE set security-association lifetime kilobytes disable set security-association lifetime seconds 10800 set transform-set ESP_AES128_SHA256 set pfs group14 ! 2048-bit set ikev2-profile GCP_IKEV2_PROFILE !
5) Finally, create the tunnel interface. Unlike the IKEv2 profile, this simply references the External interface, not the public IP:
interface Tunnel1 ip address 169.254.0.2 255.255.255.252 ip mtu 1460 ip virtual-reassembly in ip tcp adjust-mss 1420 tunnel source GigabitEthernet0 tunnel mode ipsec ipv4 tunnel destination 35.212.226.126 tunnel protection ipsec profile GCP_IPSEC_PROFILE !
Troubleshooting
The SAs should look like this:
Router#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 192.168.1.123/4500 35.212.226.126/4500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 36000/1226 sec
Router#show crypto ipsec sa peer 35.212.226.126
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.1.123
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 35.212.226.126 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 45, #pkts encrypt: 45, #pkts digest: 45
#pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.123, remote crypto endpt.: 35.212.226.126
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x962EDB69(2519653225)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x10B829B(17531547)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (sec): (14259)
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x962EDB69(2519653225)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (sec): (14259)
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Layer 77 