Google Cloud Platform – IPsec VPN Proposal Mismatch in IKE SA (Phase 1)

google-cloud-platform

We are trying to connect an IPSec VPN to our customer but having a hard time to get it to work.

The VPN-settings that we received from client:

IKE Version: 1
Authentication: PSK
IKE Hash: SHA1
IKE Encryption: AES 256 CBC
IKE DH Group: 5
Remote IP: <hidden>
PSK: <hidden>

Now, if I create an IPSec VPN with this in Google cloud then I get this error:

Status: Proposal mismatch in IKE SA (phase 1). Found inconsistency
between proposals, Consider updating the following parameters:
DIFFIE_HELLMAN_GROUP,ENCRYPTION_ALGORITHM

In the logs I'm seeing this:

initiating Main Mode IKE_SA vpn_<_hidden_>[453] to <_hidden_> 
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from <_hidden_>[500] to <_hidden_>[500] (156 bytes)
received packet: from <_hidden_>[500] to <_hidden_>[500] (40 bytes) 
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]  received NO_PROPOSAL_CHOSEN
error notify  The peer gateway notifies: Proposal mismatch in IKE SA
(phase 1) , Please look at peer logs.

Any hints?

Best Answer

Already found answer on https://cloud.google.com/vpn/docs/how-to/creating-vpns#set_up_the_peer_vpn_gateway :

Additional parameters for IKEv1 only:

IKE/ISAKMP aes128-sha1-modp1024
ESP aes128-sha1
PFS Algorithm Group 2 (MODP_1024)

Related Solutions

S2S Issue Google Cloud VPN and Cisco ASA 5545

Using static route and IKEv1 posed significant restrictions but that was what the 3rd party peer would support. The most significant being I could not use multi-cidr blocks and was limited to aes-128 for encryption.

After looking up some of the errors in the log, including INVALID_ID_INFORMATION, I found references that suggested the encryption on the ASA device was not matching. I looked this up in the manual and discovered there was aes as an option, which was really aes-128. Once this was resolved on the peer device, I got another INVALID HASH ID in the log.

Checking the status of the connection in gcloud turned out to be very useful https://cloud.google.com/compute/docs/vpn/creating-vpns. The UI gives little information in this regard:

gcloud compute --project [PROJECT_ID] vpn-tunnels describe tunnel1 --region us-central1

This gave the following useful output:

Please verify that the network range and the remote network IP ranges of the tunnel match the configured IP ranges on the peer device.

The last part was kind of easy; after matching the cidr blocks defined on the peer device in the cloud vpn tunnel's local-traffic selector, the tunnel came up.

So to answer some of the questions: is it possible to change the encryption setting on cloud vpn? No

Is it possible to make the on-premise Cisco 5545 device work with aes-128? Yes.

Google Cloud IPSec VPN – Managing Overlapping Subnetworks

You can setup Cloud VPN tunnel to GCP even if your on-prem ip address range (10.10.0.0/16) subset is overlapping with GCP vpc ip address range (10.10.0.0/24), based on guide [https://cloud.google.com/vpn/docs/concepts/order-of-routes#routing-examples].

But if your on-prem ip address range is subset of the GCP VPC ip address range, you cannot setup VPN at this situation, so you need either change your on-prem ip address range or GCP VPC's.

Current GCP doesn’t support adding additional network interface to existing VM. It can only be done during VM creation.

Related Topic