2

We are trying to "Build a VPN from a Watchguard to Google Cloud Platform" just like what is described here: https://querblick-it.de/build-vpn-watchguard-google-cloud-platform/

And under Remote peer IP address in Interconnect/VPN section of the the GCP console we get this in the (!) pop-out:

"The VPN gateway is not receiving packets from the remote peer. The remote peer might not be configured or configured with an incorrect IP."

We have triple checked that the remote peer IP is correct.

And in the GCP logs we get:

textPayload:  "establishing IKE_SA failed, peer not responding"

Here is GCP's Creating a VPN documentation: https://cloud.google.com/vpn/docs/how-to/creating-vpns

Here is WatchGuard's BOVPN documentation: https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/bovpn/manual/bovpn_manual_about_c.html

When we ping the network static IP of the VPN from a command window from my workstation, we get replies.

When we ping the IP of a Compute Engine instance, we don't get replies.

The instance doesn't have an external IP, which is the way we want it, so we can't ssh to the instance to ping from there, or I would.

We all think we are not receiving anything from either site.

Any ideas what could be causing this? Any troubleshooting ideas? I'm more of a programmer than and IT guru. I am sure you need more than what I gave you here. What else do you need?

mountainclimber11
  • 131
  • 9
  • The error message is suggesting that the IKE packets aren't making it through. The IKE packets are UDP packets with port number 500 as both source and destination port number. First try to do a packet capture to see if you see such packets in both directions. One possible way it could break is if you try to run the VPN connection through a NAT. – kasperd Jan 03 '18 at 23:13
  • @kasperd - We have confirmed that packets are not reaching opposite site. So from GCP, they do not reach us and sent from us, they do not reach GCP. I am told we are not running a VPN connection through a NAT, but how would I confirm this? – mountainclimber11 Jan 04 '18 at 14:46
  • How did you verify that? Where are the packet captures? – kasperd Jan 04 '18 at 21:59
  • I didn't, my IT contractor did. I think he looked at the GCP logs (via gcp console, Interconnect, vpn, click the View link under the logs column) and saw nothing was arriving there from us. And from the other direction, we looked at the firewall traffic monitor to see if anything was coming at all to our network from GCP. Nothing in both directions. At any rate, the issue was resolved. See my lame answer below. – mountainclimber11 Jan 04 '18 at 22:17
  • Could you tell me which IP range was used for the GCE end of the VPN connection? The first three octets of the VPN gateway IP would be sufficient. – kasperd Jan 07 '18 at 15:53
  • 1
    The VPN IP address (interconnect, VPN, IP address column) is 35.226.64.xxx Curious why do you want that? – mountainclimber11 Jan 08 '18 at 14:39

1 Answers1

1

last night I:

  • deleted all instances and disks (knowing I have good images)
  • sent a ticket to our ISP (they "looked" at things, but didn't make any changes...according to them)

This morning, in order, I:

  • closed all GCP project related tabs in Chrome
  • closed all WatchGuard firewall related systems/software/connections (web UI, Dimension, System Manager client)

Note: I didn't do anything to the vpn, firewall, network, etc.

And the VPN suddenly worked. Recreated instances from images from a few days ago and everything is communicating

PS - this isn't a very satisfactory answer, but it was my accidental "solution". Better answers welcome, will give cred.

Edit 1: to clarify, I didn't check the status of the vpn until all of the tasks above were completed, so I don't know which one(s), if any, fixed the issue.

mountainclimber11
  • 131
  • 9