Reputation: 1
Google Cloud VPN error: peer didn't accept DH group MODP_1024, it requested MODP_1024
I have an issue with Google Cloud Platform, punctually with a VPN that we have mounted between our client and GCP, we have falls in a fixed period of approximately 5 hours. (5 hours up and 5 hours down.)
The issue is:
peer didn't accept DH group MODP_1024, it requested MODP_1024
The usually is 5 hours up and 5 hours down. https://i.sstatic.nettWU66.png
Our client receives the following information https://i.sstatic.netza5xo.png
The complete log is:
{
"textPayload": "peer didn't accept DH group MODP_1024, it requested MODP_1024"
"insertId": "1xygt3f4zil3t"
"resource": {
"type": "vpn_gateway"
"labels": {
"gateway_id": "3128708644582367778"
"project_id": "xxxxxxx-compensar"
"region": "us-west1"
}
}
"timestamp": "2017-05-26T20:47:44.780876927Z"
"severity": "DEBUG"
"logName": "projects/xxxxxxx-compensar/logs/cloud.googleapis.com%2Fipsec_events"
"receiveTimestamp": "2017-05-26T20:47:44.825563989Z"
}
The configuration on Client Services is: https://i.sstatic.neteyMd4.png
The configuration on GCP is:
{
"creationTimestamp": "2017-02-20T08:43:58.085-08:00",
"description": "",
"forwardingRules": [
"projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp4500",
"projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp500",
"projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-esp"
],
"id": "3128708644582367778",
"kind": "compute#targetVpnGateway",
"name": "cliente-chile-vpn",
"network": "projects/xxxxxxx/global/networks/cliente-chile",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn",
"status": "READY",
"tunnels": [
"projects/xxxxxxx/regions/us-west1/vpnTunnels/cliente-chile-vpn-tunnel-1"
]
}
{
"creationTimestamp": "2017-05-24T12:46:01.059-07:00",
"description": "",
"detailedStatus": "Handshake with peer broken for unknown reason. Trying again soon.",
"id": "5377869613206363158",
"ikeVersion": 2,
"kind": "compute#vpnTunnel",
"localTrafficSelector": [
"10.110.0.0/20",
"10.100.0.0/20"
],
"name": "cliente-chile-vpn-tunnel-1",
"peerIp": "000.00.00.00",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/vpnTunnels/cliente-chile-vpn-tunnel-1",
"sharedSecret": "*************",
"sharedSecretHash": "xxxxxxxxxxxxxxxxxxxxx",
"status": "FIRST_HANDSHAKE",
"targetVpnGateway": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
{
"creationTimestamp": "2017-02-20T08:44:05.802-08:00",
"description": "",
"IPAddress": "104.196.229.158",
"IPProtocol": "UDP",
"id": "7352555096091566650",
"kind": "compute#forwardingRule",
"loadBalancingScheme": "EXTERNAL",
"name": "cliente-chile-vpn-rule-udp4500",
"portRange": "4500-4500",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp4500",
"target": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
{
"creationTimestamp": "2017-02-20T08:44:04.428-08:00",
"description": "",
"IPAddress": "104.196.229.158",
"IPProtocol": "UDP",
"id": "8789138583346127419",
"kind": "compute#forwardingRule",
"loadBalancingScheme": "EXTERNAL",
"name": "cliente-chile-vpn-rule-udp500",
"portRange": "500-500",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp500",
"target": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
{
"creationTimestamp": "2017-02-20T08:44:03.043-08:00",
"description": "",
"IPAddress": "104.196.229.158",
"IPProtocol": "ESP",
"id": "2497873112390345276",
"kind": "compute#forwardingRule",
"loadBalancingScheme": "EXTERNAL",
"name": "cliente-chile-vpn-rule-esp",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-esp",
"target": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
Upvotes: 0
Views: 3425
Answers (2)
Reputation: 21
A couple of things, First looking at the client configuration it appears that the key renegotiation parameters are mismatched [1], fixing that may help with the timing disconnects.
The Rejection errors I believe are because cloud VPN is attempting to establish 2 Child SAs, one for each of your networks listed, one is established, the other seems to be rejected.
One option would be to change the Cloud VPN tunnel to have 0.0.0.0/0 on the remote side, and then set up 2 routes manually for your two remote networks inside GCP.
[1] https://cloud.google.com/compute/docs/vpn/advanced#supported_ike_ciphers
Upvotes: 2
Reputation: 9721
Your Screenshot shows two mismatches from the Cloud VPN docs:
- You use SHA-256 when SHA-1 is required
- Cloud VPN uses pre-shared keys, but it looks like no pre-shared secret is set up.
IPSec requires configurations to match closely, so try swiching to SHA-1 and ensuring the two sides of the VPN have the same pre-shared key.
Upvotes: 1
Related Questions
- Unable to recreate Private Service Access on GCP
- How to configure "client-to-site" VPN on GCP using OpenVPN?
- Authenticatication issue while setting up a tunnel between GCP VPN and Cisco ASA
- GCP Add VPN Tunnels from one Peer VPN Gateway to another Peer VPN Gateway appears impossible; only the source VPN Gateway is available in Peer list
- Compute Engine in VPC can't connect to Internet & Cloud Storage after establishing Cloud VPN
- GCE Linux VM Can't access peer VPN hosts
- Google VPN Classic to Fortigate Handshake Errors
- GCP IPSEC Issues
- Configure a VPN with google cloud platform
- VPN Config Google Cloud