I'm having an issue configuring a site to site vpn from GCP to Fortigate.
I'm configuring a 1 tunnel HA VPN as a test before building in production.
My fortigate is behind an external fireawll, IPSEC vpn is configure with NAT.
According to debugs on the Fortigate, Phase 1 and Phase 2 are negotiated and established, Fortigate sends AUTH_RESPONSE and gets reply from the GCP side saying AUTHENTICATION_FAILED.
The status on GCP side is showing:
First Handshake. Allocating resources. VPN tunnel will start soon.
Has anyone any ideas why im getting AUTHENTICATION_FAILED on GCP side?
Thanks
Gerard
Not knowing exactly what the issue may be I would suggest looking at these two Google Public documents. This link describes how to use HA VPN with Fortigate, and this link is a setup guide. Within these two documents you should be able to configure your authentication to work with GCP.
Yes, this has been a known issue for quite some time. FortiOS 6.4.6 did add a field called "Local ID" to override the default IP address, but unfortunately it incorrectly sets the identity type as FQDN and Google will reject the VPN session for that reason. I reported this to FortiGate over a year ago and they were unwilling to accept it as a bug, instead saying I needed to sign a large contract and then make a feature request.
Currently, the only workaround is to give the FortiGate a public IP address. Or, use AWS as they'll accept the private IP.
Related
I want to be able to connect from on premises database to google cloud.
I have VPC set, external IP address and VPN but not connected yet.
Is there something I missed? Do I have to create a compute engine first?
I would recommend you to first read this link which is the cloud VPN overview to mainly understand the type of VPN that you are creating for this setup and then setup your VPN.
In this other link you will find some guides to setup the VPN with devices such as Cisco or even other cloud providers. I hope you find this links useful since your question doesn't have much information to better understand if you have any error message or kind of peer device you're using for this set up
Cheers
I am evaluating Dialogflow ES Trail and created an agent, with fulfillment to explore the features.
For that, I have configured the application service in the Dialogflow console in fulfillment and specified the application endpoint URL for the service that is hosted on our secure network and environment. When a specific intent matches that have the fulfillment enabled it will invoke the service that is configured, but there is a failure "Dialogflow fulfillment error: Webhook call failed. Error: DEADLINE_EXCEEDED." since this request is getting blocked on our firewall.
Please note we are not hosted on the google cloud platform and using other cloud services and also we are using a different firewall that has custom rules.
I'm seeking assistance with whitelisting the IP addresses or DNS from which Google Dialogflow fulfillment is sending the traffic since this seems to be dynamic and changing every time the requests are getting blocked on our firewall.
I went through this documentation and tried allowing the IP Address ranges specified, but the IP addresses from which Google is sending the traffic are different. Also, it seems like this is more specific to Google Cloud Platform
https://cloud.google.com/vpc/docs/access-apis-external-ip#config
Also configuring the dynamic IP addresses ranges from these files goog.json and cloud.json hosted on the internet which keeps on updating daily seems to be difficult to handle in our firewall
https://cloud.google.com/vpc/docs/access-apis-external-ip#ip-addr-defaults
Can anyone please help me with How I can whitelist dialogflow.cloud.google.com traffic to our firewall since their IP Address and DNS is dynamic?
I recommend you to forgive this solution and to accept the traffic! Ok, surprising, let me explain.
If you whitelist the Dialogflow URL or IP, all the users that use Dialogflow will be authorized on your firewall. And because anyone can use Dialogflow, you will open the firewall to everybody.
Thus, don't waste time with that. "Don't trust the network" as Google say, but trust the authentication of the request. You can set, at least a static "API Key" on your webhook calls, it's much better than IP Filtering (even if not so strong, it's still better).
I recommend you to focus on this solution instead.
AWS and network noob. I've been asked to migrate QuickBooks Desktop Enterprise to AWS. This seems easy in principle but I'm finding a lot of conflicting and confusing information on how best to do it. The requirements are:
Setup a Windows Server using AWS EC2
QuickBooks will be installed on the server, including a file share that users will map to.
Configure VPN connectivity so that the EC2 instance appears and behaves as if it were on prem.
Allow additional off site VPN connectivity as needed for ad hoc remote access
Cost is a major consideration, which is why I am doing this instead of getting someone who knows this stuff.
The on-prem network is very small - one Win2008R2 server (I know...) that hosts QB now and acts as a file server, 10-15 PCs/printers and a Netgear Nighthawk router with a static IP.
My approach was to first create a new VPC with a private subnet that will contain the EC2 instance and setup a site-to-site VPN connection with the Nighthawk for the on-prem users. I'm unclear as to if I also need to create security group rules to only allow inbound traffic (UDP,TCP file sharing ports) from the static IP or if the VPN negates that need.
I'm trying to test this one step at a time and have an instance setup now. I am remote and am using my current IP address in the security group rules for the test (no VPN yet). I setup the file share but I am unable to access it from my computer. I can RDP and ping it and have turned on the firewall rules to allow NB and SMB but still nothing. I just read another thread that says I need to setup a storage gateway but before I do that, I wanted to see if that is really required or if there's another/better approach. I have to believe this is a common requirement but I seem to be missing something.
This is a bad approach for QuickBooks. Intuit explicitly recommends against using QuickBooks with a file share via VPN:
Networks that are NOT recommended
Virtual Private Network (VPN) Connects computers over long distances via the Internet using an encrypted tunnel.
From here: https://quickbooks.intuit.com/learn-support/en-us/configure-for-multiple-users/recommended-networks-for-quickbooks/00/203276
The correct approach here is to host QuickBooks on the EC2 instance, and let people RDP (remote desktop) into the EC2 Windows server to use QuickBooks. Do not let them install QuickBooks on their client machines and access the QuickBooks data file over the VPN link. Make them RDP directly to the QuickBooks server and access it from there.
I use a VPN to access services in an AWS VPC. I also use this VPN as a gateway to my local internet. The strange thing is that when I'm connected to the VPN, I can't browse amazon.com or amazon.co.uk I can get to the home page and it displays correctly, but whatever I try to do, I get an error 503 - Service Unavailable:
"We're sorry
An error occurred when we tried to process your request.
We're working on the problem and expect to resolve it shortly. Please note that if you were trying to place an order, it will not have been processed at this time. Please try again later.
We apologise for the inconvenience."
Again, this is Amazon's retail/shopping website.
It works fine with the VPN disabled.
What can I do to get this fixed?
Thanks!
It appears that amazon.com prevents access to the IP address range used by Amazon EC2 instances. This is possibly done to prevent scraping of information.
I accessed a page via an EC2 instance and noticed this message as a comment in the beginning of the HTML page:
To discuss automated access to Amazon data please contact api-services-support#amazon.com.
For information about migrating to our APIs refer to our Marketplace APIs at https://developer.amazonservices.com/ref=rm_5_sv, or our Product Advertising API at https://affiliate-program.amazon.com/gp/advertising/api/detail/main.html/ref=rm_5_ac for advertising use cases.
In fact, I have seen this behaviour on many websites.
While this does not assist with your use-case of sending traffic via your VPN connection to the Internet, at least it explains why it is occurring.
I have configured Cloud VPN Classic to on-prem Firewall using Fortigate. I'm using default supported IKE Ciphers and I've confirmed both sides are correct configuration.
But when I checked on Google there errors shown "Handshake with peer broken for unknown reason. Trying again soon"
Does anyone have a suggestion/help on this?
I was troubleshooting these issues almost a month, still didn't find the solution on this case.
I have monitored VPN whole day, I found it will state active/up at certain time, but then it will inactive.
"Handshake with peer broken for unknown reason. Trying again soon"
As there is no information about the specific Fortinet devise you are using in your on-prem network, I'm sharing with you this Google Cloud VPN interop Guide to use Cloud VPN with Fortinet where you should find the correct configuration for GCP connectivity.
Additionally, I have found this Cloud VPN troubleshooting Google documentation which can help you monitor and solve issues with Cloud VPN.
I hope the provided documentation helps you troubleshoot your issue and to have the expected connectivity results.