IPsec GCP setup



  • We are trying to setup a VPN tunnel between a Google cloud  VPC and a PFsense box.

    We found the following guide https://blog.paranoidsoftware.com/pfsense-ipsec-vpn-connection-to-azure-aws-and-google-cloud-2/

    This is the error we get on the pfsense side.

    
    Apr 24 16:19:12    charon        08[ENC] <bypasslan|1495>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Apr 24 16:19:12    charon        08[CFG] <bypasslan|1495>no alternative config found
    Apr 24 16:19:12    charon        08[CFG] <bypasslan|1495>selected peer config 'bypasslan' inacceptable: non-matching authentication done
    Apr 24 16:19:12    charon        08[CFG] <bypasslan|1495>constraint requires public key authentication, but pre-shared key was used
    Apr 24 16:19:12    charon        08[IKE] <bypasslan|1495>authentication of '35.189.X.X' with pre-shared key successful
    Apr 24 16:19:12    charon        08[CFG] <bypasslan|1495>selected peer config 'bypasslan'
    Apr 24 16:19:12    charon        08[CFG] <1495> looking for peer configs matching 195.188.X.X[195.188.X.X]...35.189.X.X[35.189.X.X]
    Apr 24 16:19:12    charon        08[ENC] <1495> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Apr 24 16:19:12    charon        08[NET] <1495> received packet: from 35.189.X.X[500] to 195.188.X.X[500] (352 bytes)
    Apr 24 16:19:12    charon        08[NET] <1495> sending packet: from 195.188.X.X[500] to 35.189.X.X[500] (586 bytes)
    Apr 24 16:19:12    charon        08[ENC] <1495> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
    Apr 24 16:19:12    charon        08[IKE] <1495> 35.189.X.X is initiating an IKE_SA
    Apr 24 16:19:12    charon        08[ENC] <1495> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
    Apr 24 16:19:12    charon        08[NET] <1495> received packet: from 35.189.X.X[500] to 195.188.X.X[500] (1012 bytes)</bypasslan|1495></bypasslan|1495></bypasslan|1495></bypasslan|1495></bypasslan|1495></bypasslan|1495> 
    

    We also changed the following as peer didn't accept DH group MODP_2048, it requested MODP_3072.

    Is there an official guide somewhere to setup ipsec to Google cloud?

    Does anyone have any suggestions as to what the above error is saying ?