0

In the google cloud documentation it describes how to create route based VPN using gcloud. When I follow the instructions, it always creates vpn tunnel with policy based routing. It is different than the ones created via console.

I am using following call to create VPN Tunnel and related route

gcloud compute vpn-tunnels create my-vpn-tunnel \
--peer-address=[IP OF MY ON PREMISES NW GATEWAY] \
--ike-version=1 \
--shared-secret=[MY SECRET KEY] \
--local-traffic-selector=10.132.0.0/24 \
--remote-traffic-selector=10.25.101.0/24 \
--target-vpn-gateway=vpn-data-gateway \
--region=europe-west1 \
--project=[MY PROJECT NAME] 

gcloud compute routes create my-vpn-tunnel-route \
--destination-range 10.25.101.0/24 \
--next-hop-vpn-tunnel my-vpn-tunnel \
--network default \
--next-hop-vpn-tunnel-region europe-west1 \
--project [MY PROJECT NAME]

Resulting routing in vpn tunnel is shown in figure below

routing information for tunnel created via gcloud

When I create route based vpn manually via console the result is shown in figure below

routing information for tunnel created via console

Do you know if there is a undocumented parameter to indicate the tunnel should be route-based or if resulting policy based vpn functions as a route based vpn?

kokeksibir
  • 113
  • 5

2 Answers2

0

I think you are using the wrong command, as per GCP documentation on “Creating a Route Based VPN” the command should be like this :

gcloud compute vpn-tunnels create [TUNNEL_NAME] \ --peer-address [ON_PREM_IP] \ --ike-version [IKE_VERS] \ --shared-secret [SHARED_SECRET] \ --local-traffic-selector=0.0.0.0/0 \ --remote-traffic-selector=[REMOTE_IP_RANGES] \ --target-vpn-gateway [GW_NAME] \ --region [REGION] \ --project [PROJECT_ID]

The --local-traffic-selector is set to 0.0.0.0/0. For auto-mode VPC networks and legacy networks, you can omit the --local-traffic-selector option because those networks have default local traffic selectors.

Nur
  • 386
  • 1
  • 7
0

Google Cloud documentation has been updated as follows:

Both the --local-traffic-selector and --remote-traffic-selector are set to any (0.0.0.0/0). For route based VPNs, traffic selectors remain “wide open,” leaving it up to routes in each network to direct traffic to the VPN tunnel.,

So problem was due to missing documentation and has been resolved.

kokeksibir
  • 113
  • 5