Google cloud gateway

https://cloud.google.com/compute/docs/vpn/advanced

https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithCiscoASA.pdf

 

heres a (final/working) config in case anyone else wants to do this:

===================

crypto ikev2 proposal gcp-ikev2-proposal-1

encryption aes-cbc-128 aes-cbc-192 aes-cbc-256

integrity sha1 sha256 sha384 sha512

group 2 5 14 15 16

!

crypto ikev2 policy gcp-ikev2-policy-1

match fvrf any

proposal gcp-ikev2-proposal-1

!

crypto ikev2 profile gcp-ikev2-profile-1

match identity remote address gcp.gcp.gcp.gcp 255.255.255.255

identity local address me.me.me.me

authentication remote pre-share key xxxxxxxxxxxx

authentication local pre-share key xxxxxxxxxxxx

lifetime 10800

!

crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac

mode tunnel

!

crypto ipsec profile gcp-ipsec-profile-1

set transform-set gcp-tset-1

set pfs group14

set ikev2-profile gcp-ikev2-profile-1

!

interface Tunnel0

ip address 169.254.0.2 255.255.255.252

tunnel source me.me.me.me

tunnel mode ipsec ipv4

tunnel destination gcp.gcp.gcp.gcp

tunnel protection ipsec profile gcp-ipsec-profile-1

!

===================

And then configure BGP or maybe static routes as required.

After adding in the Tunnel0 interface config it just started working

straight away. So I guess my config was right all along, its just some

other aspect of IPSEC that wasnt happy with something missing… Yay

misleading debug output. :-/

Hope that helps someone else.

Tom

Cache DNS servers

PowerDNS is really fast, I’d also evaluate “unbound” as caching server. You can use powerdns’ loadbalancer “dnsdist” in front of whatever you end up using. All these are free.

> Concur 100%.

> You may also wish to consider two layers of caching – e.g., an aggregate cache in addition to caching on user-facing caches, along with dedicated resolvers.  See this .jpg diagram:

> <https://app.box.com/s/72bccbac1636714eb611>

Tested similar topologies in anger and haven’t found that the benefit (which is fairly small) is worth it for the added complexity. I find that unbound with large cache sizes works very well – https://www.unbound.net/documentation/howto_optimise.html <https://www.unbound.net/documentation/howto_optimise.html> is a good primer. Collect stats with collectd and the unbound collectd python module from here:

https://github.com/tarnfeld/collectd-unbound <https://github.com/tarnfeld/collectd-unbound>

We get the stats out the end of our stats pipeline with Grafana, and have a detailed analytics dashboard that give us hints about what needs to be looked at. We chart queries per CPU%, recursion times, all sorts of good stuff.

ICMP

As far as I understand according to rfc by ietf, type 11 is ‘time exceeded.’  And there are 2 codes with that type.  Here is a link for the RFC792:

http://tools.ietf.org/html/rfc792

 

ICMP TYPE NUMBERS

The Internet Control Message Protocol (ICMP) has many messages that
are identified by a "type" field.

Type	Name					Reference
----	-------------------------		---------
  0	Echo Reply				 [RFC792]
  1	Unassigned				    [JBP]
  2	Unassigned				    [JBP]
  3	Destination Unreachable			 [RFC792]
  4	Source Quench			 	 [RFC792]
  5	Redirect				 [RFC792]
  6	Alternate Host Address			    [JBP]
  7	Unassigned				    [JBP]
  8	Echo					 [RFC792]
  9	Router Advertisement			[RFC1256]
 10	Router Selection			[RFC1256]
 11	Time Exceeded				 [RFC792]
 12	Parameter Problem			 [RFC792]
 13	Timestamp				 [RFC792]
 14	Timestamp Reply				 [RFC792]
 15	Information Request			 [RFC792]
 16	Information Reply			 [RFC792]
 17	Address Mask Request                     [RFC950]
 18	Address Mask Reply			 [RFC950]
 19	Reserved (for Security)			   [Solo]
 20-29	Reserved (for Robustness Experiment)	    [ZSu]
 30	Traceroute				[RFC1393]
 31	Datagram Conversion Error		[RFC1475]
 32     Mobile Host Redirect              [David Johnson]
 33     IPv6 Where-Are-You                 [Bill Simpson]
 34     IPv6 I-Am-Here                     [Bill Simpson]
 35     Mobile Registration Request        [Bill Simpson]
 36     Mobile Registration Reply          [Bill Simpson]
 37     Domain Name Request                     [Simpson]
 38     Domain Name Reply                       [Simpson]
 39     SKIP                                    [Markson]
 40     Photuris                                [Simpson]
 41-255 Reserved				    [JBP]
Many of these ICMP types have a "code" field.  Here we list the types
again with their assigned code fields.

Type    Name                                    Reference
----    -------------------------               ---------
  0     Echo Reply                               [RFC792]

        Codes
            0  No Code

  1     Unassigned                                  [JBP]

  2     Unassigned                                  [JBP]

  3     Destination Unreachable                  [RFC792]

	Codes
	    0  Net Unreachable
	    1  Host Unreachable
            2  Protocol Unreachable
            3  Port Unreachable
            4  Fragmentation Needed and Don't Fragment was Set
            5  Source Route Failed
            6  Destination Network Unknown
            7  Destination Host Unknown
            8  Source Host Isolated
            9  Communication with Destination Network is
               Administratively Prohibited
           10  Communication with Destination Host is
               Administratively Prohibited
           11  Destination Network Unreachable for Type of Service
           12  Destination Host Unreachable for Type of Service
           13  Communication Administratively Prohibited      [RFC1812]
           14  Host Precedence Violation                      [RFC1812]
           15  Precedence cutoff in effect                    [RFC1812]


  4     Source Quench                            [RFC792]
        Codes
            0  No Code

  5     Redirect                                 [RFC792]

        Codes
            0  Redirect Datagram for the Network (or subnet)
            1  Redirect Datagram for the Host
            2  Redirect Datagram for the Type of Service and Network
            3  Redirect Datagram for the Type of Service and Host

  6     Alternate Host Address                      [JBP]

        Codes
            0  Alternate Address for Host

  7     Unassigned                                  [JBP]

  8     Echo                                     [RFC792]

        Codes
            0  No Code

  9     Router Advertisement                    [RFC1256]

        Codes
            0  No Code

 10     Router Selection                        [RFC1256]

        Codes
            0  No Code

 11     Time Exceeded                            [RFC792]

        Codes
            0  Time to Live exceeded in Transit
            1  Fragment Reassembly Time Exceeded

 12     Parameter Problem                        [RFC792]

        Codes
            0  Pointer indicates the error
            1  Missing a Required Option        [RFC1108]
            2  Bad Length


 13     Timestamp                                [RFC792]

        Codes
            0  No Code

 14     Timestamp Reply                          [RFC792]

        Codes
            0  No Code

 15     Information Request                      [RFC792]

        Codes
            0  No Code

 16     Information Reply                        [RFC792]

        Codes
            0  No Code

 17     Address Mask Request                     [RFC950]

        Codes
            0  No Code

 18     Address Mask Reply                       [RFC950]

        Codes
            0  No Code

 19     Reserved (for Security)                    [Solo]

 20-29  Reserved (for Robustness Experiment)        [ZSu]

 30     Traceroute                              [RFC1393]

 31     Datagram Conversion Error               [RFC1475]

 32     Mobile Host Redirect              [David Johnson]

 33     IPv6 Where-Are-You                 [Bill Simpson]

 34     IPv6 I-Am-Here                     [Bill Simpson]

 35     Mobile Registration Request        [Bill Simpson]

 36     Mobile Registration Reply          [Bill Simpson]

 39     SKIP                                    [Markson]

 40     Photuris                                [Simpson]

 

1 2 3 6