A VPN connection is used to connect a VPC to an IDC and the status of the VPN tunnel is Linked, but the private network cannot be connected.
If the tunnel is in a normal status yet the private network cannot be connected, the possible causes are as follows:
Check whether the route table of the VPC subnet contains any route whose destination IP address is the private IP range on the IDC side and whose next hop address is the corresponding VPN gateway. Meanwhile, check whether there is any route on the IDC side whose destination IP address is the VPC IP range and whose next hop address is the corresponding VPN tunnel.
Go to the VPC subnet route table. Click the route table ID to enter the details page and check these aspects:
Execute the command on the IDC side to check the routing (take Huawei’s device as an example):
display ip routing-table //Check whether there is any route whose destination IP address is the cloud VPC IP range and whose next hop is the corresponding VPN tunnel
Check whether the security group associated with the server in the VPC and the network ACL associated with the subnet allow the traffic from the local IDC to pass through. Meanwhile, check whether the IDC allows the traffic from the cloud VPC to pass through.
Go to the server security group in VPC page. Click the security group ID to enter the “Security Group Rule” page to check:
Go to VPC subnet ACL rule, click the network ACL ID to enter the “Basic Info” page, and click “Inbound Rule” tab to check:
Security policy check on the IDC side (take Huawei Firewall as an example here):
display current-configuration configuration security-policy
Check whether the CVM instance in the VPC and the firewall of the operating system of the server on the private network in the IDC have the policy to open the peer IP range to internet.
Checking the firewall on a Linux server:
Checking the firewall on a Windows server: Control Panel > System and Security > Windows Defender Firewall > Allow an app through Windows Firewall
Check whether the proxy identity (SPD policy) of VPN tunnels on the VPC and IDC sides contains private IP ranges that need to be interconnected.
Go to the SPD policy page in the VPC console. Click the VPN tunnel ID to enter the Basic information page, and you can check the SPD policy:
SPD policy check on the IDC side (take Huawei Firewall as an example here):
display current-configuration configuration acl
Check whether the route table of the VPN gateway contains the required routing policy. On the VPN gateway page, click the ID of the target VPN gateway to enter the Route table page, and you can check the routing policies.
Collect the troubleshooting information above and submit a ticket or ask the device manufacturer for help.