google-cloud-platformvpntunnelingipsecstrongswan

Site-to-site VPN on GCP using Strongswan


I have installed strongswan VPN on GCP Compute engine(Ubuntu 20.04) by referring https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-20-04

have 3 different projects and I set up a tunnel for all from Strongswan VPN Compute Engine.

below is the ipsec.conf file

conn strongswan-to-ops
    ikelifetime=600m # 36,000 s
    keylife=180m # 10,800 s
    rekeymargin=3m
    keyingtries=3
    keyexchange=ikev2
    mobike=no
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
    authby=psk
    left=172.x.x.x # In case of NAT set to internal IP, e.x. 10.164.0.6
    leftid=172.x.x.x
    leftsubnet=192.x.x.x/24
    leftauth=psk
    right=[gateway IP]
    rightid=[gateway IP]
    rightsubnet=172.x.x.x/16
    rightauth=psk
    type=tunnel
    auto=start
    dpdaction=restart

the IPsec status shows

Security Associations (2 up, 0 connecting):
strongswan-to-ops[4]: ESTABLISHED 46 minutes ago, 
strongswan-to-ops{3}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c233fb9c_i 17261c13_o
strongswan-to-ops{3}:   192.x.x.x/24 === 172.x.x.x/16

but still not able to access HTTP server/other VM on other projects


Solution

  • On GCP Compute Engine IP Forwarding was off, so that was the problem.

    I take a snapshot of the Compute Engine and create new one using it and mark IP forwarding to ON.