Creating VPN Tunnel with Cisco Firepower 41110

Google Cloud Compute Infrastructure
1

Has anyone encounter issue while creating VPN tunnel connecting to Cisco Firepower 41110 model before ?

A static VPN tunnel was created by connecting custom VPC network to on-premise network with the following configuration. Based on the status on Cisco Firepower (as attached) , phase 1 has been establish but the second phase has received no packet at the interface (tx & rx)

Screenshot 2023-02-20 at 7.34.03 PM.png
Screenshot 2023-02-20 at 7.34.03 PM.png1552×1532 150 KB

Phase 1:

  1. Encryption & Integrity : AES-GCM-16-256

  2. PRF - PRF-HMAC-SHA2-512

  3. Diffie-Hellman (DH): modp_2048 (Group 14)
    4.Lifetime: 36000 seconds

Phase 2:

  1. Encryption & Integrity : AES-GCM-16-256

  2. PFS: PRF-HMAC-SHA2-512

3.Diffie-Hellman (DH): modp_2048 (Group 14)
4.Lifetime: 36000 seconds

Logs from Cloud VPN indicate that it is unable establish CHILD_SA. Pointing the issue at establishing Phase 2.

DEBUG 2023-02-20T11:34:22.515802858Z parsed CREATE_CHILD_SA response 3 [ N(TS_UNACCEPT) ]
DEBUG 2023-02-20T11:34:22.515822874Z received TS_UNACCEPTABLE notify, no CHILD_SA built
DEBUG 2023-02-20T11:34:22.515826928Z failed to establish CHILD_SA, keeping IKE_SA

Any advice ?

2

Hi @edwin10 ,

The screenshots that you shared seems to be low quality making it hard to see the details.

Based from the configuration that you shared for Phase 1 and Phase 2, everything is correct except the lifetime value for Phase 2. Based from this documentation regarding Supported IKE ciphers and Google Cloud VPN Interop Guide, Phase 2 should have a lifetime of 10,800 seconds (3 hours).

You may want to check it as well with CISCO support if everything is configured properly on their devices and to check what causes the VPN tunnel to not establish.

3

Thanks Marvin.