Google cloud gateway


heres a (final/working) config in case anyone else wants to do this:


crypto ikev2 proposal gcp-ikev2-proposal-1

encryption aes-cbc-128 aes-cbc-192 aes-cbc-256

integrity sha1 sha256 sha384 sha512

group 2 5 14 15 16


crypto ikev2 policy gcp-ikev2-policy-1

match fvrf any

proposal gcp-ikev2-proposal-1


crypto ikev2 profile gcp-ikev2-profile-1

match identity remote address gcp.gcp.gcp.gcp

identity local address

authentication remote pre-share key xxxxxxxxxxxx

authentication local pre-share key xxxxxxxxxxxx

lifetime 10800


crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac

mode tunnel


crypto ipsec profile gcp-ipsec-profile-1

set transform-set gcp-tset-1

set pfs group14

set ikev2-profile gcp-ikev2-profile-1


interface Tunnel0

ip address

tunnel source

tunnel mode ipsec ipv4

tunnel destination gcp.gcp.gcp.gcp

tunnel protection ipsec profile gcp-ipsec-profile-1



And then configure BGP or maybe static routes as required.

After adding in the Tunnel0 interface config it just started working

straight away. So I guess my config was right all along, its just some

other aspect of IPSEC that wasnt happy with something missing… Yay

misleading debug output. :-/

Hope that helps someone else.