Skip to main content
(Optional) How to verify that your GCP-Orka VPN tunnel works as expected: check security associations, tunnel status and traffic between Orka and GCP.

You need:

  • Active VPN connection to your Orka cluster.
  • Your Cisco ASAv connection information from the IP Plan.
This part of the workflow is optional.

Verify that there is an ISAKMP security association between the peers

  1. Run Cisco ASDM-IDM and log in to your firewall.
  2. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface….
79b3129-cisco-asdm-tools-menu.png
  1. Select Single Line , enter the following command, and click Send.
show crypto isakmp sa
If the site-to-site VPN connection is configured properly, you should see information about an active IKEv1. For example: 
Result of the command: "show crypto isakmp sa"  
  
IKEv1 SAs:  
  
Active SA: 1  
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)  
Total IKE SA: 1  
  
1 IKE Peer: ...  
Type : L2L Role : initiator   
Rekey : no State : MM_ACTIVE  
  
There are no IKEv2 SAs

Verify that there is an IPsec security association between peers

  1. Run Cisco ASDM-IDM and log in to your firewall.
  2. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface….
9623829-cisco-asdm-tools-menu.png
  1. Select Single Line , enter the following command, and click Send.
show crypto ipsec sa
If the site-to-site VPN connection is configured properly, you should see a detailed log. For example: 
Result of the command: "show crypto ipsec sa"  
  
interface: Outside  
Crypto map tag: amzn_vpn_map_1, seq num: 1, local addr: ...  
  
access-list acl-amzn extended permit ip any ...   
local ident (addr/mask/prot/port): ...  
remote ident (addr/mask/prot/port): ...  
current_peer: ...  
  
  
....  
  
inbound esp sas:  
...  
outbound esp sas:  
...

Verify that the tunnel is connected

  1. Log in to your GCP console.
  2. From the GCP console sidebar, scroll to the Networking section and select Hybrid Connectivity > VPN.
be23c1a-select-vpn.png
  1. On the Cloud VPN Tunnels tab, locate the tunnel to MacStadium and check the value for VPN tunnel status. When your tunnel is properly connected, the status is: Established.
1ce592e-vpn-tunnel-status.png

Test traffic and visibility through the tunnel

  1. Verify that you have created a virtual machine in MacStadium.
  2. Verify that you have created a virtual machine instance in GCP and that you have enabled user login on it.
    For more information about user login on GCP instances, see Google Cloud Documentation: Setting up and configuring OS Login.
  3. In the terminal on your MacStadium VM, run the following command: 
ssh <user>@<gcp-vm-ip>
Replace <user> with the username for your GCP instance.
Replace <gcp-vm-ip> with the private IP of the GCP instance.
  1. When prompted, provide your password or key for the specified username on the specified GCP instance.
    If the connection is successful, the prefix of the terminal becomes <user>@<gcp-vm-ip>. This indicates that you have connected from Orka to GCP over the tunnel.
  2. Run the following command: 
ssh <user>@<orka-vm-ip>
Replace <user> with the username for your Orka VM.
Replace <orka-vm-ip> with the private IP of the Orka VM.
  1. When prompted, provide your password or key for the specified username on the specified MacStadium VM.
    If the connection is successful, the prefix of the terminal becomes <user>@<orka-vm-ip>. This indicates that you have connected from GCP to MacStadium over the tunnel.