Hi guys.
I'm trying to establish a vpn to GCP network but I have a doubt still can't resolve. I can establish the ipsec tunnel, but I don't have any interface o idea to where to configure the ip to create the bgp sessión. Is the same if I configure the VPN on GCP for static routing, the ipsec works, but I don't where to configure the static routing on my mikrotik to route to the ips on google cloud.
Best regards and thanks in advance.
Community discussions
L
R
Google Cloud Platform GCP - VPN - BGP
Last edited by gargola on Wed Dec 05, 2018 2:21 am, edited 1 time in total.
Re: Google Cloud Platform GCP - VPN - BGP help
hello! If you have already an IPSec Site-to-Site between Google and your Mikrotik then I think that you'll need to create some special routes using policies and rules to reach the remote server, theoretically I think that it is possible, however can you please post the configs at both sites?
MikroTik Soporte y Consultoría - Español / English +593 98 709 3502
https://www.safenet.ec/consultoria.html/ soporte@safenet.ec
https://www.safenet.ec/consultoria.html/ soporte@safenet.ec
Re: Google Cloud Platform GCP - VPN - BGP help
Hi sri2007.
Thank you for your response, here is the configuration:
Actually it seems that I have a one way issue, because my compute engine instance is able to ping my local segment 10.0.5.0/29, but from my Mikrotik I can't ping the cloud instance. I've checked firewall and everything related to it.
Here is the evidence from the cloud instance to my LAN segment. I think is the same issue, my Mikrotik doesn't know how to route to that destination, even so the policy is indicating that any traffic to 10.168.0.0/20 should go through the ipsec tunnel.
Best regards.
Thank you for your response, here is the configuration:
Code: Select all
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc,3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=XX.XX.17.122/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=30s enc-algorithm=aes-128,3des exchange-mode=ike2 \
generate-policy=no hash-algorithm=sha1 policy-template-group=default secret=test send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.168.0.0/20 dst-port=any ipsec-protocols=esp level=unique priority=0 proposal=default protocol=all \
sa-dst-address=XX.XX.17.122 sa-src-address=XX.XX.53.118 src-address=10.0.5.0/29 src-port=any tunnel=yes
/ip address
add address=10.0.5.1/29 interface=V2-1 network=10.0.5.0
Here is the evidence from the cloud instance to my LAN segment. I think is the same issue, my Mikrotik doesn't know how to route to that destination, even so the policy is indicating that any traffic to 10.168.0.0/20 should go through the ipsec tunnel.
Code: Select all
xxx@instance-1:~$ ifconfig
ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1460
inet 10.168.0.2 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::4001:aff:fea8:2 prefixlen 64 scopeid 0x20<link>
ether 42:01:0a:a8:00:02 txqueuelen 1000 (Ethernet)
RX packets 1809 bytes 1041959 (1.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1829 bytes 214386 (214.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 160 bytes 13111 (13.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 160 bytes 13111 (13.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
xxx@instance-1:~$ ping 10.0.5.1
PING 10.0.5.1 (10.0.5.1) 56(84) bytes of data.
64 bytes from 10.0.5.1: icmp_seq=1 ttl=63 time=78.6 ms
64 bytes from 10.0.5.1: icmp_seq=2 ttl=63 time=76.9 ms
64 bytes from 10.0.5.1: icmp_seq=3 ttl=63 time=84.9 ms
^C
--- 10.0.5.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 76.920/80.126/84.871/3.423 ms
xxx@instance-1:~$ ping 10.168.0.2
PING 10.168.0.2 (10.168.0.2) 56(84) bytes of data.
64 bytes from 10.168.0.2: icmp_seq=1 ttl=64 time=0.015 ms
64 bytes from 10.168.0.2: icmp_seq=2 ttl=64 time=0.043 ms
^C
--- 10.168.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 29ms
rtt min/avg/max/mdev = 0.015/0.029/0.043/0.014 ms
xxx@instance-1:~$ sudo ufw status
Status: inactive
xxx@instance-1:~$
Re: Google Cloud Platform GCP - VPN - BGP help
Well, some sleep hours helped, I could figured it out after search a little, I had to add the NAT exception from the src/dst networks. Now I'm able to ping both ways. So the IPSEC tunnel is working.
But at this time is configured with static segments (only 10.0.5.0/29 to 10.168.0.02/0) I have to make it work through BGP to avoid manual configurations. I'm going to test to add a bridge interface with the bgp ip to see if I'm able to establish the session.
But at this time is configured with static segments (only 10.0.5.0/29 to 10.168.0.02/0) I have to make it work through BGP to avoid manual configurations. I'm going to test to add a bridge interface with the bgp ip to see if I'm able to establish the session.
Re: Google Cloud Platform GCP - VPN - BGP help [SOLVED]
Finally made it.
To be able to route to the VPN I created a bridge to use it as the interface that has the ip for the BGP session and it turned in to my gateway to the cloud. If you're going to use static routes or policy based VPN is enough with the IPSEC Policies.
Any doubt feel free to contact me.
To be able to route to the VPN I created a bridge to use it as the interface that has the ip for the BGP session and it turned in to my gateway to the cloud. If you're going to use static routes or policy based VPN is enough with the IPSEC Policies.
Any doubt feel free to contact me.
Re: Google Cloud Platform GCP - VPN - BGP
Are you using dedicated instance from GCP side to connect with mikrotik or do you use dedicated VPN service from Google?
Two could you share the config ?
Two could you share the config ?
Who is online
Users browsing this forum: No registered users and 6 guests