This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Published KBA Suggestion] Sophos XG IPsec VPN to Google Cloud Platform


Just a quick n simple how to


Let's concentrate on the Google Cloud Platform first:

Navigate to Networking>Hybrid Connections>VPN and click on the +Create button 

  • Name: Anything lowercase , numbers and hyphens (no spaces)
  • Description: Go nuts
  • Network: Either pick your virtual network or use "Default"
  • Region: Same region as your VM's/services
  • IP address: If you already have a reservation here and its free you can pick it, or create new reservation by clicking "create IP Address" 

In the Tunnels Section:

  • Name: Anything lowercase , numbers and hyphens (no spaces)
  • Description: Again go nuts
  • Remote peer IP address: your XG's external IP
  • IKE version: IKEv2 
  • Shared Secret: enter a secret here or click "Generate" (and copy it someplace safe as we will need this a little later)
  • Routing options: Policy base - enter your remote and local networks

Click done and the platform will spin the VPN config into life.


On your XG Navigate to Configure>VPN> IPsec Connections:

  • Click Add
  • Name: something suitable please :)
  • Description: You may want to put something here :)
  • IP Version: IPv4
  • Connection Type: Site-to-Site
  • Gateway Type: Respond Only  Initiate the connection - if set to "Respond only" no more than one Child SA will come up **
  • Policy: Cloned/modified IKEv2 - *See notes below, save and use your cloned policy
  • Authentication Type: Preshared Key - And add the secret you either entered or generated earlier 
  • Local Gateway: your WAN Port/IP
  • Local ID TYPE/Local ID - not used
  • Gateway Address: Your Google IP Address (you can find this on your GCP VPN page)
  • Remote ID Type/ Remote ID - not used
  • Add your local & remote networks as needed


*With the default IKEv2 policy I could not get the tunnel up - luckily looking at the logs showed that the GCP end only wanted to use DH2048 so cloning the IKEv2 policy and removing all but  DH2048 out of the DH Group selection fixed this.

** Thus far I have been unable to raise more than one Child SA per tunnel - I'm pretty sure this is expected behaviour now as from the logs GCP VPN does not send more than one Child SA initialisation, work around here is to use a supernet or all encompassing subnet for the networks on your XG end, Or - bring up other tunnels making use of spare Alias WAN IP's on your XG, Or - masq/NAT your traffic. I'm still actively trying to find a cleaner work around and will update when i'm successful.

Once complete, save and switch on the VPN. The Google end may take a little time at first to bring up the tunnel and you may see "Waiting for full config" for a few mins before it successfully reports its up.

Don't forget your firewall rules.

Hope this helps, regards



Edit notes: Updated for single Child SA work around

[locked by: SupportFlo at 7:52 PM (GMT -7) on 21 Sep 2018]