0

I am trying to establish site to site vpn from Google cloud to my home. I am using Route based VPN option in Google cloud and I see that the connection is established from my home to Google cloud. When I ping my home network from Google compute instance, I can see the incoming traffic at home. But, Google compute instance is not receiving any traffic. I have the following routes

Default route destination 0.0.0.0/0 next hop Internet gateway (automatically created) Default route destination 192.168.2.0/24 next hop vpc-network (automatically created) Route destination 192.168.1.0/24 next hop vpn-tunnel (I created to route traffic from GCP to my home) The firewall is open from any ip to vpc network.

I am thinking it is a Routing/Firewall problem, but lost on the next steps to debug. Any help is appreciated.

NCY
  • 11
  • 1
  • It indeed sounds like a firewall/routing issue, can you post your GCP firewall rules and Routes ? Also I would recommend using policy based instead since you only have one network on each side. – Notauser Apr 04 '19 at 18:44
  • Thanks Notauser. Please see the following link [Firewall and Routes](https://imgur.com/a/7TpcaJW). – NCY Apr 06 '19 at 14:23
  • Is the VPN endpoint at home a diferrent device than your router? Like a PC with VPN software? – Notauser Apr 08 '19 at 02:54
  • I have Unifi USG at home. I used tcpdump on the router and verified that the traffic is coming in to my home network from the Google instance and the reply going back (I did a ping). I don't see anything on the Google instance itself though. – NCY Apr 08 '19 at 13:19
  • The Google cloud configuration seems correct. although opening your vpc to 0.0.0.0/0 is dangerous. You should restrict it to 192.168.1.0/24. Is the Unify USG taking care of VPN as well as the routing? I'm asking because if they are different you might need a static route to tell your home PCs to route 192.168.2.0 through VPN. (i.e for windows) ```route add 192.168.2.0 255.255.255.0 192.168.1.254 -p``` where 192.168.1.254 would be your VPN device for example. the -p is to make it persistent. – Notauser Apr 08 '19 at 13:36
  • 1
    Unify USG takes care of both VPN and routing. When I print the route table on the router I see an entry like 'S>* 192.168.2.0/24 [30/0] is directly connected, vti64'. vti64 is the vpn interface. Also, tcpdump on the router shows the traffic coming into my home network and the replies going back to GCP (ssh request from gcp instance and the corresponding response from my home network, for example). At this point, I can be reasonably sure that the packets are coming in and leaving the home network. – NCY Apr 09 '19 at 19:57
  • Interesting, it's good to know that tcpdump shows packets entering the tunnel back from your home network. Can you set the priority to 900 for your 'google-vpn-tunnel-route-1' route ? I'm thinking it might conflict with other default routes since priority is same. Setting it to 900 gives it higher priority and should be considered first. Could you also confirm if you did a packet capture on gcp side vm level to see if packets are reaching back at all? – Notauser Apr 10 '19 at 15:47
  • Tcpdump on google vm side did not show any packets coming in. I will try the priority 900 and will let you know. I keep dismantling my vpn setup to not incur charges :-). – NCY Apr 14 '19 at 13:11

1 Answers1

0

Reading the previous comments I can see that:

  • Your firewall rules to allow connections from the on-prem network seem to be OK.
  • The routes from GCP to on-prem, and from on-prem to GCP seem to be OK as well.

There is a troubleshooting document published by google that may be useful for your case. In the section named "Connectivity works for some VMs, but not for others", it says that "you might have traffic selectors that exclude certain sources or destinations". This may be happening since you have a route based VPN.

The document suggest deleting and re-creating the tunnel in order to change traffic selectors for the Cloud VPN tunnel. When creating the new tunnel, you only have to specify the remote traffic selector as mentioned in the GCP document to create a Route Based VPN. It looks like it's 192.168.1.0/24 since that's the only route using the VPN tunnel as a gateway in the screenshot you provided.

Good luck!

Alfredo GH
  • 51
  • 1