Cloud VPN IPsec tunnel established and stable with Google, how to debug packets not going across tunnel?

chris_taylor_NC · June 25, 2025, 4:05am

I have a simple policy-based IPsec tunnel (not dynamic, no BGP) set up from my MikroTik router (behind a NAT) and Google Cloud VPN. The tunnel stays up and seems stable. 192.168.1.123 is my MikroTik and 11.22.33.44 is the peer IP assigned by GCP. The 192.168.1.123 address is NATted to a public address I set up on the GCP side as the VPN peer. I can ping the GCP peer IP from the MikroTik, and my IPsec policy includes a “nat-traversal=yes” statement.

> /ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
 0  E spi=0x40E267B src-address=11.22.33.44:4500 dst-address=192.168.1.123:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=128
      auth-key="fbd...3c4d" enc-key="e9b50...e22bb" addtime=jun/24/2025 19:38:05 expires-in=10m9s add-lifetime=24m/30m current-bytes=97692
      current-packets=1163 replay=128

 1  E spi=0x1E69DA73 src-address=192.168.1.123:4500 dst-address=11.22.33.44:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=128
      auth-key="c6a...481a61" enc-key="cd3c...ebd" add-lifetime=24m/30m replay=128

I used Google’s documentation to set up the forwarding rules, routes and a firewall rule to allow things like UDP, TCP, ICMP, etc. from my local subnet, local/public peer IP and anything else I could think of. In GCP, on the VPC network and subnet that uses the VPN tunnel as the first hop, I brought up an instance on a subnet 192.168.210.0/24. I have a local subnet 192.168.200.0/24. I added a firewall NAT rule on my MK:

/ip firewall nat add chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.210.0/24

src-address=192.168.200.0/24 - my local subnet
dst-address=192.168.210.0/24 - GCP subnet on VPC network with connected VPN tunnel

Pings don’t work in either direction, and when I use Torch to look at traffic on my WAN interface I just see some UDP and TCP packets that look like the tunnel being kept alive, but no ICMP between 192.168.200 and 192.168.210 like I would expect. Also, shouldn’t I see some ESP protocol packets showing some encapsulation going on? I’m sure I have a route or firewall NAT rule wrong - what’s the best way on the MikroTik to see what’s going on when I try to send packets across the tunnel? Probably I have more work to do on the GCP side, but my immediate goal is to make sure packets I send from my local subnet are trying to go across the tunnel and not somewhere else. Thanks-

chris_taylor_NC · June 26, 2025, 4:09am

Actually, I think I made some headway. It turns out that I needed to to use the 192.168.1.0/24 local subnet instead of 192.168.200.0/24. The 192.168.1.0/24 subnet is where my MK pre-NATted IP is, as well as clients that need to go across the tunnel to get to 192.168.210.0/24 in GCP.

/ip ipsec policy add src-address=192.168.1.0/24 src-port=any dst-address=192.168.210.0/24 dst-port=any tunnel=yes action=encrypt proposal=gcp peer=gcp

/ip firewall nat add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.210.0/24

On the GCP Compute Engine VPC side:

gcloud compute routes create onprem-gcp-route1 \
    --destination-range=192.168.1.0/24 \
    --next-hop-vpn-tunnel=tunnel1 \
    --network=XXX \
    --next-hop-vpn-tunnel-region=us-XXX \
    --project=ipsec-test \
    --priority=10

gcloud  compute --project ipsec-test2 firewall-rules create allow-tcp-udp-icmp \
    --network XXX \
    --allow tcp,udp,icmp \
    --source-ranges 192.168.1.0/24

panisk0 · June 26, 2025, 7:48am

for viewing and separating traffic you can use

/ip fi fi add action=log chain=forward ipsec-policy=out,ipsec out-interface=ether1_WAN
/ip fi fi add action=log chain=forward ipsec-policy=in,ipsec out-interface=ether1_WAN