Solved: Hi David Courtney,

David Courtney · ‎06-09-2017

Hey everyone,

Has anyone had any luck getting a VPN connection running with GCP I have the VPN established, but no traffic seems to be flowing over the link.

------------------------------------------------------------------------------------------------------------------------------------------

Crypto map tag: SDM_CMAP_1, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.240.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xD2CEC6EB(3536766699)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0x44A69ECF(1151770319)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4707, flow_id: Onboard VPN:2707, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4249069/3566)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD2CEC6EB(3536766699)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4708, flow_id: Onboard VPN:2708, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4249069/3566)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

------------------------------------------------------------------------------------------------------------------------------------------

Traceroute from "10.1.1.10" to 10.1.0.10, show hitting the internet gateway last.

Thanks,

David

JP Miranda Z · ‎06-13-2017

Hi David,

Your VPN config looks good, i will check the ZBF config or bypass it to find out if is causing any issue with the VPN traffic since the SA is coming up but the traffic is not even being encrypted for the Router.

Do a ping to something at the other end sourced from the Router:

ping 10.3.0.10 source g0/1

then share the outputs of the show cry ipsec sa.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎06-09-2017

Hi David Courtney,

Seems like the tunnel is actually up but the Router is not encrypting traffic, can you share a sanitized config so we can help you.

Hope this info helps!!

Rate if helps you!!

-JP-

David Courtney · ‎06-12-2017

Hey JP,

Thanks for you response, here is a sanitized version of the config, hopefully I left enough in there to help make sense of it.

Here is the best GCP documentation I could find: https://cloud.google.com/compute/docs/vpn/creating-vpns

Thanks,

David

JP Miranda Z · ‎06-13-2017

Hi David,

Your VPN config looks good, i will check the ZBF config or bypass it to find out if is causing any issue with the VPN traffic since the SA is coming up but the traffic is not even being encrypted for the Router.

Do a ping to something at the other end sourced from the Router:

ping 10.3.0.10 source g0/1

then share the outputs of the show cry ipsec sa.

Hope this info helps!!

Rate if helps you!!

-JP-

David Courtney · ‎07-10-2017

Did end up being ZBF, turning off proved this. Correcting the ACL allowed the ZBF to be turned back on.

Thanks, JP!

- David

Cisco IOS (2911) to Google Cloud Platform