Cloud VPN logs are stored in Stackdriver Logging. Logging is automatic and does not need to be enabled.
Things to check in logs
If you're having issues with your tunnel, start by checking your logs.
Check the following:
- Verify that the peer IP configured on the Cloud VPN gateway is correct.
- Check that traffic is flowing between the two VPN gateways in both directions. In the VPN logs, check for reported incoming messages from the Peer VPN gateway. Also, consider checking the Peer VPN gateway for messages from Cloud VPN gateway.
- Check if the IKE versions configured on the VPN gateways match.
- Check if there is a NAT firewall or NAT configured between the two VPN gateways that is modifying source IP information. This can prevent the gateways from connecting.
- If the VPN logs indicate error
no-proposal-chosen, this indicates that there was no match between the algorithms configured on the pair of VPN gateways. In IKEv1, the set of algorithms must be a complete match. In IKEv2, there must be one common algorithm between the two configurations. Make sure the Peer VPN gateway is configured to support the values listed in Setting up the peer VPN gateway
Refer to the Stackdriver Logging documentation for more information, including how to export logs and how to use logs-based metrics for monitoring and alerting.