0

I have an issue with Google Cloud VPN and tunneling to a peer VPN. The tunnel is up and running but I cannot connect to any points on the peer network from my GCE VM.

My setup looks like the following:

  • A custom VPC network with one interal IP-range. Let's call it custom-net
  • A classic VPN Gateway with a IPSec tunnel to a peer VPN. The tunnel has status Established. The VPN Gateway has a Reserved IP address to it. The VPN Gateways VPC network is custom-net.
  • Three routes on custom-net:
    • Local route to the only subnet, prio 1000
    • To default internet gateway, prio 900
    • To the gateway tunnel, prio 1000
  • A fresh Linux VM in GCE. Let's call it vm1. It has one network interface on custom-neton its only sub network.
  • Two firewall rules in GC that allow everything Ingress and Egress.

I can connect to vm1 with ssh and access the internet from it, but I cannot access any points in the peer VPN despite the tunnel being status Established. The IP-range on custom-net does not interfere with any ranges on the peer network.

What could be the issue here? I'm novice in network setups. Could it be something missing in the routing, or do I have to do some configuration in vm1 to get this to roll?

Any help appreciated!

4

1 回答 1

1

For the routes Google Cloud automatically creates one route for each remote IP range you specify. This shouldn't be an issue

That said, several points can be checked to further troubleshoot this:

  • If you use policy based tunnel make sure the ip addresses you are trying to reach are declared in your traffic selectors. Moreover check on stackdriver logs for the tunnel, to see if the aforementioned IP ranges are being negotiated. You can use this advanced filter:

    resource.type="vpn_gateway" resource.labels.gateway_id="your_gateway_id" textPayload="established"

    Kindly expand the logs and check in the “textPayload:” field to see if the destination ip range is being negotiated.

  • Confirm you can ping the Remote Peer Gateway from VMs in gcp

  • Run mtr from both sides and see where packets are being dropped at some point.

  • Get tcpdumps from the remote gateway and another from the Google Compute Engine Instance while doing connectivity tests(ping, mtr) so you can analyze packet flow.

  • See the VPN Interop Guides page for guides that describe some supported third-party VPN devices and services. This may give you some tips on how to configure specific devices to work with Cloud VPN.

  • Consult Cloud VPN Troubleshooting for additional details

I hope this helps

于 2020-04-02T01:39:19.713 回答