"
Apparently the wrong route was chosen on the way back from the tunnel and then the response was eaten by the bridging firewall.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 27, 2021, 10:02:31 AM #2
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 17, 2021, 01:13:31 PM
That's the not so well documented setup I inherited. The .99 is there because we didn't want to mess around with our live FW.
#3
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 16, 2021, 06:35:46 PM
Here's one. I hope that helps.
Actually I'm not 100% sure whether or not .99's traffic is passing through .66 or not.
Actually I'm not 100% sure whether or not .99's traffic is passing through .66 or not.
#4
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 16, 2021, 03:05:44 PM
Some more intel:
I see the traffic DC -> GCP coming through in the FW logs on .99. I can also see it in the FW logs within the GCP in the allow-ingress rule I've set up.
I can then also see traffic going back within the GCP but apparently it's lost after that.
I see the traffic DC -> GCP coming through in the FW logs on .99. I can also see it in the FW logs within the GCP in the allow-ingress rule I've set up.
I can then also see traffic going back within the GCP but apparently it's lost after that.
#5
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 14, 2021, 02:03:02 PM
The OPNsense VPN Gateway (.99) is not the default gateway (that's .65).
There Azure guide https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html had "respond only" in it, that's why.
I was wondering about the /128, too, but I cannot change it.
There Azure guide https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html had "respond only" in it, that's why.
I was wondering about the /128, too, but I cannot change it.
#6
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 14, 2021, 09:38:03 AM
LAN is the only interface (I deleted the weird OPT1)
#7
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 14, 2021, 09:35:33 AM
Tunnel details for the Azure guide setup
#8
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 14, 2021, 09:31:12 AM
enable policy checked
#9
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 14, 2021, 09:30:43 AM
Here's the original setup that works one-way.
The tunnel has "install policy" checked - without it, I can't ping GCP -> DC.
/edit: only 4 attachments allowed, need to split the post
The tunnel has "install policy" checked - without it, I can't ping GCP -> DC.
/edit: only 4 attachments allowed, need to split the post
#10
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 13, 2021, 06:10:37 PMQuote from: mimugmail on September 13, 2021, 04:58:36 PM
Can you post screenshots please?
Sure, of what exactly?
#11
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 13, 2021, 02:05:36 PMQuote from: mimugmail on September 13, 2021, 01:52:16 PM
The description of your vpn will be name of the ipsec interface. If it's empty you'll have ipsec1000. Just look for the description. If there is no interface you config is not correct.
Thanks for the quick reply! Any idea what might not be "correct"?
And what's the deal with 10.111.1.1 / 10.111.1.2 in the Azure guide? What's their purpose? I'm not quite sure where to put the one on the GCP end.
#12
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 13, 2021, 12:30:07 PM
Additional bit of information: In my actual gateway/FW I see block events for 10.255.255.250 -> x.x.x.111 but not vice versa. Why is that?
If the traffic goes through the tunnel I shouldn't see it here. If it does not, I should not see any. It looks like the request DC -> GCP goes past the firewall but the response does not ...
My default DC gateway/FW is x.x.x.65. The tunnel runs on x.x.x.99
If the traffic goes through the tunnel I shouldn't see it here. If it does not, I should not see any. It looks like the request DC -> GCP goes past the firewall but the response does not ...
My default DC gateway/FW is x.x.x.65. The tunnel runs on x.x.x.99
#13
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 13, 2021, 11:04:10 AM
Sadly, the guide has
But there is no such (equivalent) iface - where should it come from? I only have LAN and OPT1 (whatever that is). :/
Plus, there's also an iface "IPSEC1000" in this guide and I have no idea where it comes from.
QuoteStep 3 - Set MSS Clamping
(Under Interfaces ‣ IPsec Azure) We will use the following settings:
But there is no such (equivalent) iface - where should it come from? I only have LAN and OPT1 (whatever that is). :/
Plus, there's also an iface "IPSEC1000" in this guide and I have no idea where it comes from.
#14
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 13, 2021, 09:47:47 AMQuote from: mimugmail on September 11, 2021, 07:55:50 PM
GCP is route based IPsec, you need a different guide, like Azure
Do you have one you can link?
/edit: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html ?
#15
Virtual private networks / Re: IPsec VPN works only one way - GCP
September 11, 2021, 05:33:12 PMQuote from: fabian on September 11, 2021, 05:28:13 PM
enc0 is a virtual IPsec interface
Ah thanks, that's what I've thought. Then I'd figure that the ICMP packet comes in, gets routed to the VPN tunnel, a reply comes back but then is lost somewhere? :|
