0

I have a VM on Google Cloud serving as vpn gateway. I have followed the steps on this documentation https://cloud.google.com/vpc/docs/special-configurations#settingupvpn

The ipsec.conf I use is:

conn cnt
  authby=psk
  auto=start
  dpdaction=hold
  esp=3des-sha1
  forceencaps=yes
  ike=3des-sha1-modp1024
  ikelifetime=1440m
  keyexchange=ikev1
  mobike=no
  type=tunnel
  left=%any
  leftid=x.x.x.x
  leftsubnet=10.0.1.0/24
  leftauth=psk
  leftikeport=4500
  right=x.x.x.x
  rightsubnet=0.0.0.0/0
  rightauth=psk
  rightikeport=4500

Everything works fine until I start the strongswan server. The vpn connection succeeds but once it succeeds the ssh session fails and I cannot start it again. I have used the browser console, tried from the gc shell, tried from my pc and it keeps not letting me in.

The error I got says:

OpenSSH_7.4p1 Debian-10+deb9u6, OpenSSL 1.0.2r  26 Feb 2019
debug1: Reading configuration data /home/myusername/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "x.x.x.x" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.

It stays there for a couple minutes and then I got this error:

ssh: connect to host x.x.x.x port 22: Connection timed out
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

I have tried with another ssh keys, deleted the already generated and created new ones and it did not work.

I have also checked the firewall and I believe it is well configured, but I also think that the problems resides there.

I configured the firewall using the command:

gcloud compute firewall-rules create ssh --source-ranges 0.0.0.0/0 \
    --allow tcp:22 \
    --network vpn-network

I have also changed the priority of that firewall rule and still not working.

I have also repeated the process from scratch with another instance, ips and regions, and the ssh connection fails once the vpn stablishes.

I have also tried to incerase disk size and it did not work.

I have connected to the serial console and it looks like everything in the vm is working fine and the vpn is running as expected.

Any help will be very apreciated :)

Joelo Paredes
  • 1
  • 1
    Think about the VPN connection you configured and the impact `rightsubnet=0.0.0.0/0` has. – ecdsa Mar 11 '19 at 15:01
  • The subnet has been changed, and I also tried configuring using GCloud VPN and the same happens. Once the VPN is up I cannot access SSH – Joelo Paredes Mar 14 '19 at 14:37
  • You should probably update the question with your current config. Also, masking the IPs doesn't help because we don't see which IP you tried to reach and whether there are conflicts with IPsec tunnels etc. (with `0.0.0.0/0` the conflict was obvious). You could also try to add a [passthrough policy for SSH](https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#For-specific-protocols-or-ports) to allow that traffic outside the tunnel despite whatever subnets are negotiated. – ecdsa Mar 14 '19 at 15:09

1 Answers1

0

You can make a traceroute and confirm where the network traffic through port 22 is blocked:

$ traceroute -T -p 22 <IP address>

Also check if you have the correct firewall rules configured in your on-premise site to allow the network traffic through port 22.

If the on-premise firewall rules are correct you can share here the traceroute result.

HopsHops
  • 11
  • 2