A libreswan configuration that works with Google Cloud VPN (Classic)

1 minute read Published: 2019-11-30

It turns out getting libreswan to play nicely with Google Cloud VPN (Classic) is much harder than it needs to be. There are various Medium and mailing list posts about this, but none of the solutions actually survive a rekey. So here's what works.

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)
# rpm -q libreswan
libreswan-3.25-8.1.0.1.el7_7.x86_64

/etc/ipsec.d/gcp.secrets

[OUR PUBLIC IP] [GCP TUNNEL IP] : PSK "MYPRESHAREDSECRETHERE"

/etc/ipsec.d/gcp.conf

conn gcp
	left=[OUR PUBLIC IP]
	leftsubnet=[OUR PRIVATE NETWORK]/24
	leftsourceip=[OUR PRIVATE IP]
	right=[GCP TUNNEL IP]
	rightsubnet=10.240.0.0/16
	auto=start
	authby=secret
	ikev2=insist

	ike=aes_gcm_c-256-sha2_512;modp4096
	ikelifetime=10h

	phase2alg=aes_gcm_c-256-null;modp8192
	lifetime=3h

	keyingtries=%forever

	dpddelay=15
	dpdtimeout=30
	dpdaction=restart