English Forums > Virtual private networks

IPsec VPN works only one way - GCP

(1/6) > >>

rbed:
Hey there, I just signed up to find some help with my VPN. My networking knowledge is very limited and hopefully it's just a silly mistake that I've made.

I've found a couple very similar threads but none of the solutions worked for me. Please poke me if I'm supposed to pick up one of them.

https://forum.opnsense.org/index.php?topic=13536.0
https://forum.opnsense.org/index.php?topic=14970.0

---

I'm trying to establish a VPN between our on-prem network (datacenter DC) and the Google Cloud Platform (GCP). Actually, the tunnel is set up and connected and I can ping from the GCP side. The ping from the DC side remains unanswered. They aren't blocked by the FW and when I capture the traffic, I actually see requests and (!) responses. But apparently they don't reach the original machine.

I have a fresh OPNsense 21.7.2_1-amd64 (x.x.x.99) installation. I have three gateways, a default one (the machine isn't the default gateway for the network, that's x.x.x.65), another one called LAN_GW (I don't know why / what's the difference) and the far gateway pointing at the GCP end. (See attachment)

Then I have a route just for a single test VM in the GCP (See attachment) - 10.255.255.250/32 via the GCP_Gateway.

The VPN itself is established (see more attachments).

FW rules are in place to allow all outgoing traffic to 10.0.0.0/8 and incoming as well, IPsec + LAN, just to be sure.

Since the OPNsense x.x.x.99 isn't the default gatway I added a route on a VM in DC and when I traceroute 10.255.255.250 I can see that the first hop is in fact x.x.x.99.

Package capture shows requests and replies for my pings for interface "ix3" and "enc0". I have no idea what "enc0" is but I guess it belongs to the IPsec tunnel. It's nowhere to be found in the GUI. Or I'm stupid - that's always a valid option.

I wonder how my "GCP_Gateway" is supposed to know that it's the traffic shall be sent via IPsec. The only interface I can pick in the gateway settings is "LAN" ... In the guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html) they pick an interface "IPSEC1000".

I hope my mistake is obvious to someone and that someone is willing to enlighten me ;)


---

What I've tried from answers to similar questions so far:


* Fiddle around with the NAT outbound settings.
* Uncheck "Install policy" in the tunnel settings.
* Playing around with gateway priorities.

fabian:
enc0 is a virtual IPsec interface

rbed:

--- Quote from: fabian on September 11, 2021, 05:28:13 pm ---enc0 is a virtual IPsec interface

--- End quote ---

Ah thanks, that's what I've thought. Then I'd figure that the ICMP packet comes in, gets routed to the VPN tunnel, a reply comes back but then is lost somewhere? :|

mimugmail:
GCP is route based IPsec, you need a different guide, like Azure

rbed:

--- Quote from: mimugmail on September 11, 2021, 07:55:50 pm ---GCP is route based IPsec, you need a different guide, like Azure

--- End quote ---

Do you have one you can link?

/edit: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html ?

Navigation

[0] Message Index

[#] Next page