IPsec VPN works only one way - GCP

Started by rbed, September 11, 2021, 05:08:46 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
September 14, 2021, 09:35:33 AM #15
Tunnel details for the Azure guide setup
September 14, 2021, 09:38:03 AM #16
LAN is the only interface (I deleted the weird OPT1)
September 14, 2021, 09:57:45 AM #17
Why only the LAN? Shouldn't it be WAN? Is this the GCP box or on-prem?
And why respond only? Also /128 looks weird
September 14, 2021, 02:03:02 PM #18
The OPNsense VPN Gateway (.99) is not the default gateway (that's .65).

There Azure guide https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html had "respond only" in it, that's why.

I was wondering about the /128, too, but I cannot change it.
September 16, 2021, 03:05:44 PM #19
Some more intel:

I see the traffic DC -> GCP coming through in the FW logs on .99. I can also see it in the FW logs within the GCP in the allow-ingress rule I've set up.
I can then also see traffic going back within the GCP but apparently it's lost after that.
September 16, 2021, 06:03:56 PM #20
I need a Network diagram including IP addresses to fully understand this setup
September 16, 2021, 06:35:46 PM #21
Here's one. I hope that helps.
Actually I'm not 100% sure whether or not .99's traffic is passing through .66 or not.
September 16, 2021, 07:27:08 PM #22
When .65 gateway of .66 is, why .99? I dont get it
September 17, 2021, 01:13:31 PM #23
That's the not so well documented setup I inherited. The .99 is there because we didn't want to mess around with our live FW.
September 17, 2021, 06:08:42 PM #24
Please use real IPs and changing only one bit, really, noone is interested in your network :) someone around the globe is always scanning it
September 27, 2021, 10:02:31 AM #25
Apparently the wrong route was chosen on the way back from the tunnel and then the response was eaten by the bridging firewall.
Print
Go Up Pages 1 2
User actions