1

we have a classic VPN setup for one of our customers. The tunnel is located in europe-west1. It was created on January and all went smooth until last week.

Since last week, we have been seeing a progressive degradation of the VPN connection. Looking at the logs, the cause seems a proposal mismatch in CHILD SA (phase 2), but it comes with no information about which parameter doesn't match.

According to the logs, the parameters check reports the following:

Cloud VPN has 1 proposals. Peer has 1 proposals.
Cloud VPN proposal #1 vs Peer proposal #1 :
Match parameters:
ENCRYPTION_ALGORITHM : ESP:AES_GCM_16_256
EXTENDED_SEQUENCE_NUMBERS : ESP:NO_EXT_SEQ
PFS : ESP:MODP_1024
Mismatch parameters:
<some empty lines>

Do you have any idea on how to figure out the problem? Thanks!

Davide Cui
  • 11
  • 1

1 Answers1

1

As per the logs you shared, It looks like Cloud VPN has accepted 1 proposal.

To locate the issue, you can follow the below steps:

  1. Check for logs if the VPN has the warning 'The peer gateway notifies: Proposal mismatch in CHILD SA (phase 2)’.

  2. If you are getting this warning,then the next step would be to check the peer logs with keywords 'NO_PROPOSAL_CHOSEN'.

If you are getting 'NO_PROPOSAL_CHOSEN' in the logs, it means Cloud VPN and your peer VPN gateway are unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. Make sure that you use supported ciphers to configure your peer VPN gateway. Refer to the supported IKE ciphers document [1] to know more about it.

Also note that, by default, Cloud VPN negotiates a replacement security association (SA) before the existing one expires (also known as rekeying). Your peer VPN gateway might not be rekeying. Instead, it might negotiate a new SA only after deleting the existing SA, causing interruptions [2]. If the connection drops and then re-establishes right after a ‘Received SA_DELETE’ log message, your on-premises gateway didn't rekey.

[1] : https://cloud.google.com/network-connectivity/docs/vpn/concepts/supported-ike-ciphers

[2] : https://cloud.google.com/network-connectivity/docs/vpn/support/troubleshooting#tunnel_regularly_goes_down_for_a_few_seconds