It doesn't seem to work with GCP

olegkorol commented 3 months ago

Hi!

First of all, thanks for putting this together.

I am trying to connect an on-premises server to GCP with a tunnel using IPSec IKEv2. I've attempted setting up the VPN server on both DigitalOcean and EC2, with the same (unsatisfactory) results.

It is possible to connect clients like e.g. my laptop, which means that the VPN is working... but I cannot get it to work with GCP.

For a bit of context, on the GCP side I am using a Cloud VPN Gateway which then has a Cloud VPN Tunnel. The latter's configuration looks like this:

...based on the actual IP Range from the VM's subnet and the output of the vpn.sh script:

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: 178.x.x.x # Remote peer IP address above
IPsec PSK: <PSK_FROM_VPN_SERVER> # IKE pre-shared key above
Username: <USERNAME>
Password: <PASSWORD>

Write these down. You'll need them to connect!

Then the two servers keep "handshaking" forever but the connection does not succeed.

These are some the logs I see in the Cloud VPN Gateway:

Any ideas? Am I missing something? Many thanks in advance!

PS: I was able to set up such a connection using two different GCP projects, with their own VPCs and subnets, by running Cloud VPN Tunnels the exact same way I described above. So I imagine that the issue would not be the GCP Cloud VPN Tunnel's configuration, but rather the IPSec's configuration.

hwdsl2 commented 3 months ago

@olegkorol Hello! Thank you for providing the details of your use case. Unfortunately, this is not currently supported in this project. The Cloud VPN Gateway in GCP uses IKEv2 with pre-shared keys, while this project requires certificate-based authentication for IKEv2, or pre-shared keys with username/password for IKEv1.

If you would like to explore the use case further yourself, you may refer to these configuration examples and/or ask on the Libreswan users mailing list.

olegkorol commented 3 months ago

Thanks for the swift reply, @hwdsl2! I'll check those resources and see if I can get this up and running :)

olegkorol commented 3 months ago

Update

I ran the vpn.sh script as usual, then made a backup of the "original" IPSec config file:

mv /etc/ipsec.conf{,.original}

...and replaced it with another configuration, as suggested here (replacing xxx with the right addresses):

config setup
    protostack=netkey

conn mysubnet
     also=mytunnel
     leftsubnet=xxx # (in my case 10.0.0.0/24)
     rightsubnet=xxx # (in my case 10.108.0.0/20)
     auto=start

conn mytunnel
    left=xxx # the external IP of *this* server
    right=xxx # the external IP of GCP's Cloud VPN Gateway
    authby=secret

Then I restarted the IPSec VPN:

sudo ipsec restart

Ping: GCP -> local network

✅ This time I was able to ping from a VM in GCP to the "local network" (simulating it with a VM on DigitalOcean for now):

ping 10.108.0.2 # this being the internal IP of the DO VM

Ping: local network -> GCP

❌ No luck yet pinging in the opposite way – but that's not crucial for now, since the communication in my use-case is intended to be one-way only.

Call API on local network from GCP

I tried to run a test-API with a Node.js server on the "local network" (on port 3000) and calling it from GCP – but it did not work straightaway:

curl 10.108.0.2:3000
curl: (7) Failed to connect to 10.108.0.2 port 3000 after 83 ms: Couldn't connect to server

⚠️ This is because I was running the Node.js server with hostname 127.0.0.1 (aka. localhost). In order to be able to access it from other devices in the same network, the hostname has to be set to 0.0.0.0.

So, everything seems to be working as expected now (aside from Ping: local network -> GCP).

FYI @hwdsl2

hwdsl2 / setup-ipsec-vpn