GCP IPSec VPN with BGP

sipvoip · July 4, 2021, 12:36pm

I am trying to set up an IPSec VPN with BGP to GCP. I have the VPN UP, and I see traffic coming in, but nothing is going out towards google. I think the issue has to do with NAT on the public interface, but not sure how to fix my config.

vyos@router1:~$ show vpn ipsec sa
Connection                     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-35.245.110.63-tunnel-vti  up       20m47s    360B/0B         6/0               35.245.110.63     N/A          AES_CBC_256/HMAC_SHA1_96
peer-35.245.110.63-tunnel-vti  up       20m47s    109K/0B         1K/0              35.245.110.63     N/A          AES_CBC_256/HMAC_SHA1_96/MODP_2048

vyos@router1:~$ show interface vti detail 
vti10@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 204.89.189.2 peer 35.245.110.63
    inet 169.254.0.2/30 scope global vti10
       valid_lft forever preferred_lft forever

    RX:   bytes  packets  errors  dropped  overrun       mcast
         115200     1920       0        0        0           0
    TX:   bytes  packets  errors  dropped  carrier  collisions
              0        0       0        0        0           0

My config:

high-availability {
    vrrp {
        group management {
            interface bond0.3
            virtual-address 10.0.2.1/24
            vrid 3
        }
        group private {
            interface bond0.2
            virtual-address 10.0.0.1/23
            vrid 2
        }
        group public {
            interface bond0
            virtual-address 204.89.189.1/24
            virtual-address 204.117.64.1/24
            vrid 1
        }
    }
}
interfaces {
    bonding bond0 {
        address 204.89.189.4/24
        address 204.117.64.4/24
        description "Public Internet"
        hash-policy layer2
        member {
            interface eth0
            interface eth1
        }
        mode 802.3ad
        mtu 9000
        policy {
            route PBR
        }
        vif 2 {
            address 10.0.0.4/23
            description "Vocinity Private"
            mtu 9000
        }
        vif 3 {
            address 10.0.2.4/24
            description "Vocinity Management"
        }
    }
    ethernet eth0 {
        hw-id 00:02:c9:0d:02:28
    }
    ethernet eth1 {
        hw-id 00:02:c9:0d:02:98
    }
    ethernet eth2 {
        address 70.33.172.138/30
        description "Atlantic Metro 10Gig"
        disable-link-detect
        hw-id 00:02:c9:0d:02:29
    }
    ethernet eth3 {
        hw-id 00:02:c9:0d:02:99
    }
    loopback lo {
    }
    vti vti10 {
        address 169.254.0.10/30
        mtu 1436
    }
}
nat {
}
policy {
    prefix-list bogons {
        rule 10 {
            action permit
            description "this network [RFC1122]"
            le 32
            prefix 0.0.0.0/8
        }
        rule 11 {
            action permit
            description "private space [RFC1918]"
            le 32
            prefix 10.0.0.0/8
        }
        rule 12 {
            action permit
            description "CGN shared [RFC6598]"
            le 32
            prefix 100.64.0.0/10
        }
        rule 13 {
            action permit
            description "localhost [RFC1122]"
            le 32
            prefix 127.0.0.0/8
        }
        rule 14 {
            action permit
            description "link local [RFC3927]"
            le 32
            prefix 169.254.0.0/16
        }
        rule 15 {
            action permit
            description "private space [RFC1918]"
            le 32
            prefix 172.16.0.0/12
        }
        rule 16 {
            action permit
            description "TEST-NET-1 [RFC5737]"
            le 32
            prefix 192.0.2.0/24
        }
        rule 17 {
            action permit
            description "6to4 anycast relay [RFC7526]"
            le 32
            prefix 192.88.99.0/24
        }
        rule 18 {
            action permit
            description "private space [RFC1918]"
            le 32
            prefix 192.168.0.0/16
        }
        rule 19 {
            action permit
            description "benchmarking [RFC2544]"
            le 32
            prefix 198.18.0.0/15
        }
        rule 20 {
            action permit
            description "TEST-NET-2 [RFC5737]"
            le 32
            prefix 198.51.100.0/24
        }
        rule 21 {
            action permit
            description "TEST-NET-3 [RFC5737]"
            le 32
            prefix 203.0.113.0/24
        }
        rule 22 {
            action permit
            description multicast
            le 32
            prefix 224.0.0.0/4
        }
        rule 23 {
            action permit
            description "reserved for future use"
            le 32
            prefix 240.0.0.0/4
        }
    }
    prefix-list default {
        rule 10 {
            action permit
            prefix 0.0.0.0/0
        }
    }
    prefix-list local {
        rule 10 {
            action permit
            prefix 204.89.189.0/24
        }
        rule 11 {
            action permit
            prefix 204.117.64.0/24
        }
    }
    route PBR {
        rule 20 {
            description "AS12189 irp probe traffic to table 10"
            set {
                table 10
            }
            source {
                address 204.89.189.28/32
            }
        }
        rule 30 {
            description "AS46887 irp probe traffic to table 11"
            set {
                table 11
            }
            source {
                address 204.89.189.29/32
            }
        }
        rule 40 {
            description "AS29838 irp probe traffic to table 12"
            set {
                table 12
            }
            source {
                address 204.89.189.27/32
            }
        }
    }
    route-map external-in {
        rule 10 {
            action deny
            match {
                ip {
                    address {
                        prefix-list bogons
                    }
                }
            }
        }
        rule 11 {
            action deny
            match {
                ip {
                    address {
                        prefix-list default
                    }
                }
            }
        }
        rule 20 {
            action permit
        }
    }
    route-map local-out {
        rule 10 {
            action permit
            match {
                ip {
                    address {
                        prefix-list local
                    }
                }
            }
        }
    }
}
protocols {
    bgp 398334 {
        address-family {
            ipv4-unicast {
                network 204.89.189.0/24 {
                }
                network 204.117.64.0/24 {
                }
                redistribute {
                    connected {
                    }
                }
            }
        }
        neighbor 70.33.172.137 {
            address-family {
                ipv4-unicast {
                    route-map {
                        export local-out
                        import external-in
                    }
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            password ****************
            remote-as 33597
        }
        neighbor 169.254.0.9 {
            address-family {
                ipv4-unicast {
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            disable-connected-check
            remote-as 65534
        }
        neighbor 204.89.189.2 {
            address-family {
                ipv4-unicast {
                    nexthop-self {
                    }
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            remote-as 398334
        }
        neighbor 204.89.189.3 {
            address-family {
                ipv4-unicast {
                    nexthop-self {
                    }
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            remote-as 398334
        }
        neighbor 204.89.189.56 {
            address-family {
                ipv4-unicast {
                    route-reflector-client
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            remote-as 398334
        }
        parameters {
            router-id 204.89.189.4
        }
    }
    static {
        route 10.0.3.0/24 {
            next-hop 10.0.0.9 {
                distance 1
            }
        }
        route 10.40.0.0/14 {
            next-hop 10.0.0.251 {
                distance 1
            }
        }
        route 10.88.64.0/22 {
            next-hop 10.0.0.9 {
                distance 1
            }
        }
        route 172.16.0.0/16 {
            next-hop 10.0.0.53 {
                distance 1
            }
        }
        route 204.89.189.0/24 {
            blackhole {
                distance 254
            }
        }
        route 204.117.64.0/24 {
            blackhole {
                distance 254
            }
        }
        table 10 {
            route 0.0.0.0/0 {
                next-hop 172.24.255.14 {
                }
            }
        }
        table 11 {
            route 0.0.0.0/0 {
                next-hop 144.121.130.193 {
                }
            }
        }
        table 12 {
            route 0.0.0.0/0 {
                next-hop 69.9.42.177 {
                }
            }
        }
    }
}
service {
    snmp {
        community vocinity {
            client 10.0.0.32
            client 10.0.0.56
        }
    }
    ssh {
        listen-address 10.0.0.4
        listen-address 10.0.2.4
        listen-address 204.89.189.4
        listen-address 69.9.42.177
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name vocinity.com
    flow-accounting {
        buffer-size 024
        interface eth2
        interface bond0
        netflow {
            sampling-rate 1
            server 10.0.0.36 {
                port 2055
            }
            server 10.0.0.56 {
                port 2055
            }
            timeout {
                expiry-interval 10
            }
            version 9
        }
    }
    host-name router3
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    name-server 10.0.0.5
    name-server 8.8.8.8
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
vpn {
    ipsec {
        esp-group gcp-esp {
            compression disable
            lifetime 10800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group gcp-ike {
            close-action none
            ikev2-reauth no
            key-exchange ikev2
            lifetime 36000
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface bond0
        }
        site-to-site {
            peer 35.245.110.63 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                ike-group gcp-ike
                ikev2-reauth inherit
                local-address 204.89.189.4
                vti {
                    bind vti10
                    esp-group gcp-esp
                }
            }
        }
    }
}

Viacheslav · July 4, 2021, 1:19pm

To understand exactly what the matter is in NAT, is it possible try to delete all nat rules.
And re-check.
The second step it exclude vrrp + nat. And so on.

But before deleting nat, try to dump traffic from bond interface. Are the packets which expected in vti sending via bond? Check bgp routes, bgp table. Do you see prefixes from the remote site?

sipvoip · July 4, 2021, 1:37pm

When I run tcpdump on vti10 I see BGP traffic from 169.254.0.1 the GCP router, but I am not responding. I don’t see ANY traffic going out vti10, just incoming.

vti10: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1436
        inet 169.254.0.2  netmask 255.255.255.252  destination 169.254.0.2
        tunnel   txqueuelen 1000  (IPIP Tunnel)
        RX packets 7504  bytes 450240 (439.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Viacheslav · July 4, 2021, 1:41pm

Check dump on bonding interface. Is seems it send replies via bond.
Do you see expected routes from bgp neighbor?

p252 · July 4, 2021, 1:58pm

Which BGP peer in your config is supposed to be your GCP peer? The vti10 interface has a 169.254 address but the BGP config has no corresponding peers. How are you routing through your VTI tunnel?

sipvoip · July 4, 2021, 8:58pm

I was not able to pint the 169.254 address so I did not bother setting up BGP yet. I removed my nat rules and now traffic is flowing, but BGP is not coming up.

vyos@router3:~$ show ip bgp neighbors 169.254.0.9 
BGP neighbor is 169.254.0.9, remote AS 65534, local AS 398334, external link
  BGP version 4, remote router ID 0.0.0.0, local router ID 204.89.189.4
  BGP state = Active
  Last read 06:51:26, Last write 00:01:09
  Hold time is 180, keepalive interval is 60 seconds
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                207          2
    Notifications:          0          2
    Updates:            58530          0
    Keepalives:             2          2
    Route Refresh:          0          0
    Capability:             0          0
    Total:              58739          6
  Minimum time between advertisement runs is 0 seconds

 For address family: IPv4 Unicast
  Not part of any update group
  Inbound soft reconfiguration allowed
  Community attribute sent to this neighbor(all)
  0 accepted prefixes

  Connections established 2; dropped 2
  Last reset 06:50:38,  Waiting for peer OPEN
Local host: 169.254.0.10, Local port: 51342
Foreign host: 169.254.0.9, Foreign port: 179
Nexthop: 169.254.0.10
Nexthop global: ::
Nexthop local: ::
BGP connection: shared network
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 51 seconds
Read thread: off  Write thread: off  FD used: -1

protocols {
    bgp 398334 {
        address-family {
            ipv4-unicast {
                network 204.89.189.0/24 {
                }
                network 204.117.64.0/24 {
                }
                redistribute {
                    connected {
                    }
                }
            }
        }
        neighbor 70.33.172.137 {
            address-family {
                ipv4-unicast {
                    route-map {
                        export local-out
                        import external-in
                    }
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            password ****************
            remote-as 33597
        }
        neighbor 169.254.0.9 {
            address-family {
                ipv4-unicast {
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            disable-connected-check
            remote-as 65534
        }

sipvoip · July 4, 2021, 9:10pm

Errors I am seeing:

frr/frr.log:Jul  4 14:20:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 14:46:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 14:48:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 14:50:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 14:52:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 14:54:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 14:56:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 14:58:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 15:00:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 15:04:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 15:10:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer
frr/frr.log:Jul  4 15:14:52 router3 bgpd[1086]: [EC 33554454] 169.254.0.9 [Error] bgp_read_packet error: Connection reset by peer

blason · July 5, 2021, 2:07am

Can you ping 169.254.0.9 from your vyos router? If not then you might need to add interface route or route to 169.254.0.9 through vti10

sipvoip · July 5, 2021, 11:01am

I sure can.

vyos@router3:~$ ping 169.254.0.9
PING 169.254.0.9 (169.254.0.9) 56(84) bytes of data.
64 bytes from 169.254.0.9: icmp_seq=1 ttl=64 time=3.38 ms
64 bytes from 169.254.0.9: icmp_seq=2 ttl=64 time=2.70 ms
64 bytes from 169.254.0.9: icmp_seq=3 ttl=64 time=2.63 ms
^C
--- 169.254.0.9 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 2.626/2.903/3.380/0.338 ms

Viacheslav · July 5, 2021, 3:52pm

Try to set update source:

set protocols bgp xxxx neighbor 169.254.0.9 update-source 169.254.0.10

If it doesn’t help:

sudo nmap -p 179 169.254.0.9
sudo tcpdump -ntvvvvvi vti10

sipvoip · July 5, 2021, 3:58pm

Found the issue deep in GCP logs, turns out that that when it first came up it tried to send full routes, GCP will then continue to drop the connection after that even if you dont send it any routes. The solution was to delete the router and rebuild on GCP side and only send partial routes on vyos side.

blason · July 6, 2021, 2:17am

Nice to hear that and thanks for sharing the solution,

system · July 8, 2021, 2:17am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.