gcloud vpn tunnel log complains that "MAC mismatched". How to fix?

vpn google-cloud-platform google-cloud-vpn

Cloud VPN only supports one-to-one NAT via UDP encapsulation for NAT-Traversal (NAT-T). One-to-many NAT and port-based address translation are not supported. In other words, Cloud VPN cannot connect to multiple peer VPN gateways that share a single external IP address.Details can be found UDP encapsulation

When using one-to-one NAT, your on-premises VPN gateway must identify itself using the same external IP address of the NAT device:

The identity type must be ID_IPV4_ADDR (RFC 7815).

Not all Cisco devices support setting a device identity to an IP address different from the one the device is using (its internal address). For example, Cisco ASA devices do not support assignment of different (external) IP addresses for their identities. Thus, Cisco ASA devices cannot be configured to use one-to-one NAT with Cloud VPN.

For Juniper devices, you can set the identity of the device using set security ike gateway [NAME] local-identity inet [PUBLIC_IP] where [NAME] is your VPN gateway name and [PUBLIC_IP] is your external IP address. Refer to this Juniper TechLibrary article for more detail.

Additionally, I have noticed following in the log you have shared

D 2020-07-26T13:46:23.854285679Z generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY) ]
D 2020-07-26T13:46:23.866158710Z parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

As per the information discussed above the solution for this issue is to configure the on-prem VPN gateway to identify itself using its public IP address, not with the internal or any other address. As GCP end will only expecting reply from peer IP configured in GCP Cloud VPN configuration.


Got the same error when trying to connect two GCP VPC via HA VPN Tunnels and the cause was that I was not providing the same shared key in the wizard.

When creating the tunnels, the wizard suggests a shared secret and, instead of adding the same one in both, I got the same error as you. Providing a consistent secret made the error dissapear.

Related

Linux host randomly stops answering ipv6 neighbor solicitation requests
Can i use google cloud as a hosting platform for my web and webmail [closed]
No certificate templates in Certificate Services server on Windows 2019
Wsl ubuntu virtualhost and hosts file on windows
Are Dell parts compatible with non-Dell hardware? [closed]
how to configure the number of processes BIND uses?
MySQL slow queries log
Antenna connection 3G modems [closed]
reverse proxy http to tomcat
CentOS yum *.rpm package changelog (not installation changelog)
How to inject javascript into Chrome DevTools itself
socket.io and express 4 sessions