Solved: Re: Configure GCP with Cisco firewall by IPSec tun...

dikshant-infra · 03-21-2024 03:16 AM

Hi, I am trying to configure my GCP resources to communicate with Cisco Firewall for all communication. Is it possible to achieve with GCP HA VPN gateway or any other mechanism in GCP.

AI

@dikshant-infra

I am not aware of any cloud vpn support for mfa with okta directly (although I’d suggest reaching out to okta about this to be sure), I see on okta’s website (https://okta.com/integrations/MFA-for-VPN/) they support Cisco, checkpoint, f5, fortinet, paloalto, pulse secure and sophos, so it is possible you would need to run a virtual device from one of these vendors in gcp and use it as a vpn concentrator, where you would configure the vpn between such virtual firewall and the other side of vpn connection.
Once again, I would recommend talking to Okta about your setup, they must have recommendations about how to setup their product.

View solution in original post

AI

Hi @dikshant-infra

See if this link helps, there are a number of confg guides for Cloud VPN including a couple for Cisco Firewalls.

dikshant-infra

hi @AI , thanks for response.

I am trying to test setup in two project using Classic VPN but unable to hit private IP from Cloud Function. I am able to hit from VM but unable to do from Cloud Functions.

AI

Hey @dikshant-infra

there could be a number of misconfigs that would prevent access, such as traffic routing from CF (serverless VPC access?), firewall configs (is traffic allowed and if so from which destination), VPN configs (the traffic selectors), without seeing the diagram and knowing how things are configured, it's nearly impossible to pin point the issue. What you could do though is you could check VPC flow logs (do we see the packets traversing VPC), VPN logs (do we see the packets going through VPN), the function error logs (what 'unable to hit' actually means? can't resolve the name, can't establish tcp 3 way handshake? etc), the logs for the server which CF tries to connect to (do we see the requests make it that far) to better understand where the problem could be happening.

dikshant-infra

hi @AI , thanks for response.
Error I am getting is "upstream timeout".

Coming to the flow. With the same firewall policy, VPC connector I am able to hit IP private IP if I perform VPC peering so I believe this rules out the issue with connector or firewall policy blocking it. Coming to VPN logs, I have destroyed the setup. Let me recreate the setup and follow logs.
Please suggest if I miss anything in terms of VPC peering or VPN tunneling.

The main issue for me is I am able to hit VM in other VPC through the VM that resides in same subnet which is used in VPC connector.

dikshant-infra

hi @AI , I have one question. Does IPSec client policy support Okta integration with GCP because IPSec policy of end user have MFA enabled with Okta. I did not find any such article where GCP offers MFA.

AI

@dikshant-infra

I am not aware of any cloud vpn support for mfa with okta directly (although I’d suggest reaching out to okta about this to be sure), I see on okta’s website (https://okta.com/integrations/MFA-for-VPN/) they support Cisco, checkpoint, f5, fortinet, paloalto, pulse secure and sophos, so it is possible you would need to run a virtual device from one of these vendors in gcp and use it as a vpn concentrator, where you would configure the vpn between such virtual firewall and the other side of vpn connection.
Once again, I would recommend talking to Okta about your setup, they must have recommendations about how to setup their product.

Configure GCP with Cisco firewall by IPSec tunneling