4. Verifying the GCP VPN Tunnel

4. Verifying the GCP VPN Tunnel

(Optional) How to verify that your GCP-Orka VPN tunnel works as expected: check security associations, tunnel status and traffic between Orka and GCP.

๐Ÿšง

Quick navigation

You are here in the workflow: GCP-Orka Connections | 1. GCP Side of the VPN Tunnel | 2. GCP VPN Tunnel Configuration File | 3. Orka Side of the GCP. VPN Tunnel | 4. Verifying the GCP VPN Tunnel | GCP VPN Tunnel Troubleshooting


On this page, jump to: Verify that there is an ISAKMP security association between the peers | Verify that there is an IPsec security association between peers | Verify that the tunnel is connected | Test traffic and visibility through the tunnel

๐Ÿ“˜

You need:

  • Active VPN connection to your Orka cluster.
  • Your Cisco ASAv connection information from the IP Plan.

This part of the workflow is optional.

Verify that there is an ISAKMP security association between the peers

  1. Run Cisco ASDM-IDM and log in to your firewall.
  2. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface....

  1. Select Single Line, enter the following command, and click Send.
show crypto isakmp sa

If the site-to-site VPN connection is configured properly, you should see information about an active IKEv1. For example:

Result of the command: "show crypto isakmp sa"

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: ...
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 

There are no IKEv2 SAs

Verify that there is an IPsec security association between peers

  1. Run Cisco ASDM-IDM and log in to your firewall.
  2. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface....

  1. Select Single Line, enter the following command, and click Send.
show crypto ipsec sa

If the site-to-site VPN connection is configured properly, you should see a detailed log. For example:

Result of the command: "show crypto ipsec sa"

interface: Outside
    Crypto map tag: amzn_vpn_map_1, seq num: 1, local addr: ...

      access-list acl-amzn extended permit ip any ... 
      local ident (addr/mask/prot/port): ...
      remote ident (addr/mask/prot/port): ...
      current_peer: ...


      ....

    inbound esp sas:
      ...
    outbound esp sas:
      ...

Verify that the tunnel is connected

  1. Log in to your GCP console.
  2. From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.

  1. On the Cloud VPN Tunnels tab, locate the tunnel to MacStadium and check the value for VPN tunnel status. When your tunnel is properly connected, the status is: Established.

Test traffic and visibility through the tunnel

  1. Verify that you have created a virtual machine in MacStadium.
  2. Verify that you have created a virtual machine instance in GCP and that you have enabled user login on it.
    For more information about user login on GCP instances, see Google Cloud Documentation: Setting up and configuring OS Login.
  3. In the terminal on your MacStadium VM, run the following command:
ssh <user>@<gcp-vm-ip>

Replace <user> with the username for your GCP instance.
Replace <gcp-vm-ip> with the private IP of the GCP instance.

  1. When prompted, provide your password or key for the specified username on the specified GCP instance.
    If the connection is successful, the prefix of the terminal becomes <user>@<gcp-vm-ip>. This indicates that you have connected from Orka to GCP over the tunnel.
  2. Run the following command:
ssh <user>@<orka-vm-ip>

Replace <user> with the username for your Orka VM.
Replace <orka-vm-ip> with the private IP of the Orka VM.

  1. When prompted, provide your password or key for the specified username on the specified MacStadium VM.
    If the connection is successful, the prefix of the terminal becomes <user>@<orka-vm-ip>. This indicates that you have connected from GCP to MacStadium over the tunnel.

What's next

VPN Tunnel Troubleshooting


ยฉ 2019-2023 Copyright MacStadium, Inc. โ€“ Documentation built with readme.com. Orka is a registered trademark of MacStadium, Inc.