Google Cloud to pfSense VPN with BGP Dynamic Routing
-
I have a Netgate 4200 and set up pfense on 192.168.0.1 as my LAN and I have been trying to configure an HA Google Cloud VPN tunnel with dynamic BGP, the tunnel is established and working but the BGP session is down. I have followed the following blogs https://chou.se/gcp-ipsec-vpn-to-on-prem-pfsense-for-internet-egress/#:~:text=86.0%2F23%20network%20through%20pfSense,(automatic%20%2B%20custom%20rules) and this one https://hilliao.medium.com/google-cloud-ha-vpn-with-pfsense-b6786272e756 .My Google Cloud internal IPs are on 10.156.0.0/20 and the BGP Status under pfense is below I have been reviewing my setup for hours and any help will be highly appreciated. Thanks :-)
Under Pfense the BGP status is IPv4 Unicast Summary (VRF default):
BGP router identifier 169.254.0.2, local AS number 4200000003 vrf-id 0
BGP table version 3
RIB entries 5, using 960 bytes of memory
Peers 1, using 13 KiB of memoryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
169.254.0.1 4 4200000001 0 0 0 0 0 never Active 0 GCP Cloud RouterTotal number of neighbors 1
BGP Neighbors
BGP neighbor is 169.254.0.1, remote AS 4200000001, local AS 4200000003, external link
Local Role: undefined
Remote Role: undefined
Description: GCP Cloud Router BGP IP
BGP version 4, remote router ID 0.0.0.0, local router ID 169.254.0.2
BGP state = Active
Last read 00:01:10, Last write never
Hold time is 180 seconds, keepalive interval is 60 seconds
Configured hold time is 180 seconds, keepalive interval is 60 seconds
Configured conditional advertisements interval is 60 seconds
Graceful restart information:
Local GR Mode: Helper*Remote GR Mode: NotApplicable R bit: False N bit: False Timers: Configured Restart Time(sec): 120 Received Restart Time(sec): 0Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 0 0
Notifications: 0 0
Updates: 0 0
Keepalives: 0 0
Route Refresh: 0 0
Capability: 0 0
Total: 0 0
Minimum time between advertisement runs is 0 seconds
Update source is 197.x.x.x( Public IP)For address family: IPv4 Unicast
Not part of any update group
Local AS allowed in path, 3 occurrences
Advertise all paths via addpath
Community attribute sent to this neighbor(large)
Inbound path policy configured
Outbound path policy configured
Incoming update prefix filter list is *IPv4-any
Outgoing update prefix filter list is *IPv4-any
Route map for incoming advertisements is *Access-All
0 accepted prefixesConnections established 0; dropped 0
Last reset 00:01:10, Waiting for peer OPEN (n/a)
External BGP neighbor may be up to 1 hops away.
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 51 seconds
Read thread: off Write thread: off FD used: -1
-
@clouduser
The IPsec tunnel is UP? P1/P2?
If so, being in the ACTIVE state indicates that TCP 3way handshake is failing for BGP. -
Yes the tunnel is up and under psfense the connection for P1 and P2 are established.
-
@clouduser
I would check firewall logs to ensure BGP which is TCP-179, isn't being dropped. Check system logs for any other FRR-related errors.Short of that, there isn't anything else on the pfSense side that would not allow bgp to come up.
Incorrect BGP parameters would come up in the OPEN state which you clearly arent there yet. This is a communication problem at the TCP level.
edit:
Update source is 197.x.x.x( Public IP)Why are you using your public address to form the BGP peering? Thats wrong.
-
Fairly new and green with working with pfense. What should I change the update source for the Neighbours BGP ?