4. Verifying the GCP VPN Tunnel
(Optional) How to verify that your GCP-Orka VPN tunnel works as expected: check security associations, tunnel status and traffic between Orka and GCP.
Quick navigation
You are here in the workflow: GCP-Orka Connections | 1. GCP Side of the VPN Tunnel | 2. GCP VPN Tunnel Configuration File | 3. Orka Side of the GCP. VPN Tunnel | 4. Verifying the GCP VPN Tunnel | GCP VPN Tunnel Troubleshooting
On this page, jump to: Verify that there is an ISAKMP security association between the peers | Verify that there is an IPsec security association between peers | Verify that the tunnel is connected | Test traffic and visibility through the tunnel
You need:
- Active VPN connection to your Orka cluster.
- Your Cisco ASAv connection information from the IP Plan.
This part of the workflow is optional.
Verify that there is an ISAKMP security association between the peers
- Run Cisco ASDM-IDM and log in to your firewall.
- In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface....
- Select Single Line, enter the following command, and click Send.
show crypto isakmp sa
If the site-to-site VPN connection is configured properly, you should see information about an active IKEv1. For example:
Result of the command: "show crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: ...
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Verify that there is an IPsec security association between peers
- Run Cisco ASDM-IDM and log in to your firewall.
- In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface....
- Select Single Line, enter the following command, and click Send.
show crypto ipsec sa
If the site-to-site VPN connection is configured properly, you should see a detailed log. For example:
Result of the command: "show crypto ipsec sa"
interface: Outside
Crypto map tag: amzn_vpn_map_1, seq num: 1, local addr: ...
access-list acl-amzn extended permit ip any ...
local ident (addr/mask/prot/port): ...
remote ident (addr/mask/prot/port): ...
current_peer: ...
....
inbound esp sas:
...
outbound esp sas:
...
Verify that the tunnel is connected
- Log in to your GCP console.
- From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.
- On the Cloud VPN Tunnels tab, locate the tunnel to MacStadium and check the value for VPN tunnel status. When your tunnel is properly connected, the status is:
Established.
Test traffic and visibility through the tunnel
- Verify that you have created a virtual machine in MacStadium.
- Verify that you have created a virtual machine instance in GCP and that you have enabled user login on it.
For more information about user login on GCP instances, see Google Cloud Documentation: Setting up and configuring OS Login. - In the terminal on your MacStadium VM, run the following command:
ssh <user>@<gcp-vm-ip>
Replace <user> with the username for your GCP instance.
Replace <gcp-vm-ip> with the private IP of the GCP instance.
- When prompted, provide your password or key for the specified username on the specified GCP instance.
If the connection is successful, the prefix of the terminal becomes<user>@<gcp-vm-ip>. This indicates that you have connected from Orka to GCP over the tunnel. - Run the following command:
ssh <user>@<orka-vm-ip>
Replace <user> with the username for your Orka VM.
Replace <orka-vm-ip> with the private IP of the Orka VM.
- When prompted, provide your password or key for the specified username on the specified MacStadium VM.
If the connection is successful, the prefix of the terminal becomes<user>@<orka-vm-ip>. This indicates that you have connected from GCP to MacStadium over the tunnel.
What's next
Updated 5 months ago