我对Google Cloud Platform存在问题,准时使用我们在客户端和GCP之间安装的VPN,我们在大约5个小时的固定时间内出现问题。 (5小时以上,5小时下来。)
问题是:
同行没有接受DH组MODP_1024,它要求MODP_1024
通常是5个小时,5个小时。 https:// i.stack.imgur.com/tWU66.png
我们的客户收到以下信息 https:// i.stack.imgur.com/za5xo.png
完整的日志是:
{
"textPayload": "peer didn't accept DH group MODP_1024, it requested MODP_1024"
"insertId": "1xygt3f4zil3t"
"resource": {
"type": "vpn_gateway"
"labels": {
"gateway_id": "3128708644582367778"
"project_id": "xxxxxxx-compensar"
"region": "us-west1"
}
}
"timestamp": "2017-05-26T20:47:44.780876927Z"
"severity": "DEBUG"
"logName": "projects/xxxxxxx-compensar/logs/cloud.googleapis.com%2Fipsec_events"
"receiveTimestamp": "2017-05-26T20:47:44.825563989Z"
}
客户服务的配置是: https:// i.stack.imgur.com/eyMd4.png
GCP上的配置是:
{
"creationTimestamp": "2017-02-20T08:43:58.085-08:00",
"description": "",
"forwardingRules": [
"projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp4500",
"projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp500",
"projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-esp"
],
"id": "3128708644582367778",
"kind": "compute#targetVpnGateway",
"name": "cliente-chile-vpn",
"network": "projects/xxxxxxx/global/networks/cliente-chile",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn",
"status": "READY",
"tunnels": [
"projects/xxxxxxx/regions/us-west1/vpnTunnels/cliente-chile-vpn-tunnel-1"
]
}
{
"creationTimestamp": "2017-05-24T12:46:01.059-07:00",
"description": "",
"detailedStatus": "Handshake with peer broken for unknown reason. Trying again soon.",
"id": "5377869613206363158",
"ikeVersion": 2,
"kind": "compute#vpnTunnel",
"localTrafficSelector": [
"10.110.0.0/20",
"10.100.0.0/20"
],
"name": "cliente-chile-vpn-tunnel-1",
"peerIp": "000.00.00.00",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/vpnTunnels/cliente-chile-vpn-tunnel-1",
"sharedSecret": "*************",
"sharedSecretHash": "xxxxxxxxxxxxxxxxxxxxx",
"status": "FIRST_HANDSHAKE",
"targetVpnGateway": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
{
"creationTimestamp": "2017-02-20T08:44:05.802-08:00",
"description": "",
"IPAddress": "104.196.229.158",
"IPProtocol": "UDP",
"id": "7352555096091566650",
"kind": "compute#forwardingRule",
"loadBalancingScheme": "EXTERNAL",
"name": "cliente-chile-vpn-rule-udp4500",
"portRange": "4500-4500",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp4500",
"target": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
{
"creationTimestamp": "2017-02-20T08:44:04.428-08:00",
"description": "",
"IPAddress": "104.196.229.158",
"IPProtocol": "UDP",
"id": "8789138583346127419",
"kind": "compute#forwardingRule",
"loadBalancingScheme": "EXTERNAL",
"name": "cliente-chile-vpn-rule-udp500",
"portRange": "500-500",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-udp500",
"target": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
{
"creationTimestamp": "2017-02-20T08:44:03.043-08:00",
"description": "",
"IPAddress": "104.196.229.158",
"IPProtocol": "ESP",
"id": "2497873112390345276",
"kind": "compute#forwardingRule",
"loadBalancingScheme": "EXTERNAL",
"name": "cliente-chile-vpn-rule-esp",
"region": "projects/xxxxxxx/regions/us-west1",
"selfLink": "projects/xxxxxxx/regions/us-west1/forwardingRules/cliente-chile-vpn-rule-esp",
"target": "projects/xxxxxxx/regions/us-west1/targetVpnGateways/cliente-chile-vpn"
}
答案 0 :(得分:2)
一些事情,首先看一下客户端配置,看来密钥重新协商参数不匹配[1],修复可能有助于断开连接的时间。
我认为拒绝错误是因为云VPN正在尝试建立2个子SA,每个网络列出一个,一个已建立,另一个似乎被拒绝。
一种选择是将Cloud VPN隧道更改为远程端为0.0.0.0/0,然后为GCP内的两个远程网络手动设置2条路由。
[1] https://cloud.google.com/compute/docs/vpn/advanced#supported_ike_ciphers
答案 1 :(得分:1)
您的屏幕截图显示了Cloud VPN docs:
中的两个不匹配项IPSec要求配置紧密匹配,因此请尝试切换到SHA-1并确保VPN的两端具有相同的预共享密钥。