English Forums > Virtual private networks
IPsec VPN works only one way - GCP
rbed:
Hey there, I just signed up to find some help with my VPN. My networking knowledge is very limited and hopefully it's just a silly mistake that I've made.
I've found a couple very similar threads but none of the solutions worked for me. Please poke me if I'm supposed to pick up one of them.
https://forum.opnsense.org/index.php?topic=13536.0
https://forum.opnsense.org/index.php?topic=14970.0
---
I'm trying to establish a VPN between our on-prem network (datacenter DC) and the Google Cloud Platform (GCP). Actually, the tunnel is set up and connected and I can ping from the GCP side. The ping from the DC side remains unanswered. They aren't blocked by the FW and when I capture the traffic, I actually see requests and (!) responses. But apparently they don't reach the original machine.
I have a fresh OPNsense 21.7.2_1-amd64 (x.x.x.99) installation. I have three gateways, a default one (the machine isn't the default gateway for the network, that's x.x.x.65), another one called LAN_GW (I don't know why / what's the difference) and the far gateway pointing at the GCP end. (See attachment)
Then I have a route just for a single test VM in the GCP (See attachment) - 10.255.255.250/32 via the GCP_Gateway.
The VPN itself is established (see more attachments).
FW rules are in place to allow all outgoing traffic to 10.0.0.0/8 and incoming as well, IPsec + LAN, just to be sure.
Since the OPNsense x.x.x.99 isn't the default gatway I added a route on a VM in DC and when I traceroute 10.255.255.250 I can see that the first hop is in fact x.x.x.99.
Package capture shows requests and replies for my pings for interface "ix3" and "enc0". I have no idea what "enc0" is but I guess it belongs to the IPsec tunnel. It's nowhere to be found in the GUI. Or I'm stupid - that's always a valid option.
I wonder how my "GCP_Gateway" is supposed to know that it's the traffic shall be sent via IPsec. The only interface I can pick in the gateway settings is "LAN" ... In the guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html) they pick an interface "IPSEC1000".
I hope my mistake is obvious to someone and that someone is willing to enlighten me ;)
---
What I've tried from answers to similar questions so far:
* Fiddle around with the NAT outbound settings.
* Uncheck "Install policy" in the tunnel settings.
* Playing around with gateway priorities.
fabian:
enc0 is a virtual IPsec interface
rbed:
--- Quote from: fabian on September 11, 2021, 05:28:13 pm ---enc0 is a virtual IPsec interface
--- End quote ---
Ah thanks, that's what I've thought. Then I'd figure that the ICMP packet comes in, gets routed to the VPN tunnel, a reply comes back but then is lost somewhere? :|
mimugmail:
GCP is route based IPsec, you need a different guide, like Azure
rbed:
--- Quote from: mimugmail on September 11, 2021, 07:55:50 pm ---GCP is route based IPsec, you need a different guide, like Azure
--- End quote ---
Do you have one you can link?
/edit: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html ?
Navigation
[0] Message Index
[#] Next page
Go to full version