search

planktonicme / google-cloud-sdk

Automatically exported from code.google.com/p/google-cloud-sdk
0 stars 0 forks source link

Command to restart / reset Google Cloud VPN Gateway #681

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
I have a VPN configured with a client's Fortigate firewall. Occasionally when 
it loses connection Google Cloud VPN attempts to reconnect but it ends up in a 
failure to establish the CHILD_SA. The logs look like this repeated over and 
over:

05:29:02.847
creating acquire job for policy 10.240.0.0/16 === 192.168.176.0/24 with reqid 
{1}
05:29:02.847
establishing CHILD_SA vpn_216.57.208.134{1}
05:29:02.853
generating CREATE_CHILD_SA request 2621 [ SA No KE TSi TSr ]
05:29:02.854
sending packet: from 130.211.129.203[500] to 216.57.208.134[500] (620 bytes)
05:29:02.895
received packet: from 216.57.208.134[500] to 130.211.129.203[500] (76 bytes)
05:29:02.896
parsed CREATE_CHILD_SA response 2621 [ N(TS_UNACCEPT) ]
05:29:02.896
received TS_UNACCEPTABLE notify, no CHILD_SA built
05:29:02.896
failed to establish CHILD_SA, keeping IKE_SA

When someone on my client's side reset's their VPN server, it recreates the 
IKE_SA and the connection resumes:

09:24:53.403
received packet: from 216.57.208.134[500] to 130.211.129.203[500] (76 bytes)
09:24:53.403
parsed INFORMATIONAL request 1035 [ D ]
09:24:53.403
received DELETE for IKE_SA vpn_216.57.208.134[4]
09:24:53.404
deleting IKE_SA vpn_216.57.208.134[4] between 
130.211.129.203[130.211.129.203]...216.57.208.134[216.57.208.134]
09:24:53.404
IKE_SA deleted
09:24:53.404
generating INFORMATIONAL response 1035 [ ]
09:24:53.404
sending packet: from 130.211.129.203[500] to 216.57.208.134[500] (76 bytes)
09:24:53.413
received packet: from 216.57.208.134[500] to 130.211.129.203[500] (488 bytes)
09:24:53.414
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
09:24:53.414
216.57.208.134 is initiating an IKE_SA
09:24:53.426
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(MULT_AUTH) ]
09:24:53.427
sending packet: from 130.211.129.203[500] to 216.57.208.134[500] (440 bytes)
09:24:53.469
received packet: from 216.57.208.134[500] to 130.211.129.203[500] (252 bytes)
09:24:53.470
parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi 
TSr ]
09:24:53.470
looking for peer configs matching 
130.211.129.203[%any]...216.57.208.134[216.57.208.134]
09:24:53.470
selected peer config 'vpn_216.57.208.134'
09:24:53.470
authentication of '216.57.208.134' with pre-shared key successful
09:24:53.470
authentication of '130.211.129.203' (myself) with pre-shared key
09:24:53.470
IKE_SA vpn_216.57.208.134[5] established between 
130.211.129.203[130.211.129.203]...216.57.208.134[216.57.208.134]
09:24:53.470
scheduling rekeying in 35648s
09:24:53.470
maximum IKE_SA lifetime 36248s
09:24:53.470
handling HA CHILD_SA vpn_216.57.208.134{1744} 10.240.0.0/16 === 
192.168.176.0/24 (segment in: 1, out: 1)
09:24:53.470
CHILD_SA vpn_216.57.208.134{1744} established with SPIs fcd983a4_i 955d328e_o 
and TS 10.240.0.0/16 === 192.168.176.0/24
09:24:53.470
generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]

Instead of relying on my client to reset their VPN, I'd like to be able to 
reset the connection from my own end.

Is there a gcloud command to restart my Google Cloud VPN gateway / connection? 
If not, could you add one?

Original issue reported on code.google.com by jeffv...@gmail.com on 24 Mar 2016 at 3:41