Following this document to connect on-prem site via policy based classic cloud vpn. SNATted with external IP before the tunnel connection. however, it doesn’t seems requested traffic goes through the tunnel. There is no request traffic in tunnel vpc-log for DEST_GATEWAY, only for incoming traffic from peer SRC_GATEWAY. Does anybody experience with the same issue?
Hey,
Hope you’re keeping well.
In a policy-based Classic VPN setup, traffic will only pass through the tunnel if it matches the configured local and remote traffic selectors. If your on-prem traffic is SNATed to an external IP before hitting the tunnel, that IP might not be included in the local traffic selector, so the VPN will ignore it. Check your tunnel’s IKE Phase 2 traffic selectors in the Cloud Console under Hybrid Connectivity > VPN > Tunnels, and ensure they match the post-SNAT source and destination subnets. Also verify that your VPC routes point the relevant CIDR ranges to the VPN tunnel, otherwise traffic will follow the default internet route.
Thanks and regards,
Taz
Hi Taz,
on-prem site is partner network which expect from SNATted with public ip for encryption domain.
Local and remote selectors is correct and tunnel connection is established.
As I see in my ping test, according to this test section, when SNAT is not applied, ping traffic reaching the tunnel and in vpc log I have seen DEST_GATEWAY related log, however when snat applied, there is no traffic for outgoing request in vpc log.
either way, ping get responses but with SNAT not via vpn tunnel.
Best Regards,
ibrahim