gcloud vpn tunnel log complains that "MAC mismatched". How to fix?

Cloud VPN only supports one-to-one NAT via UDP encapsulation for NAT-Traversal (NAT-T). One-to-many NAT and port-based address translation are not supported. In other words, Cloud VPN cannot connect to multiple peer VPN gateways that share a single external IP address.Details can be found UDP encapsulation

When using one-to-one NAT, your on-premises VPN gateway must identify itself using the same external IP address of the NAT device:

The identity type must be ID_IPV4_ADDR (RFC 7815).

Not all Cisco devices support setting a device identity to an IP address different from the one the device is using (its internal address). For example, Cisco ASA devices do not support assignment of different (external) IP addresses for their identities. Thus, Cisco ASA devices cannot be configured to use one-to-one NAT with Cloud VPN.

For Juniper devices, you can set the identity of the device using set security ike gateway [NAME] local-identity inet [PUBLIC_IP] where [NAME] is your VPN gateway name and [PUBLIC_IP] is your external IP address. Refer to this Juniper TechLibrary article for more detail.

Additionally, I have noticed following in the log you have shared

D 2020-07-26T13:46:23.854285679Z generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY) ]
D 2020-07-26T13:46:23.866158710Z parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

As per the information discussed above the solution for this issue is to configure the on-prem VPN gateway to identify itself using its public IP address, not with the internal or any other address. As GCP end will only expecting reply from peer IP configured in GCP Cloud VPN configuration.


Got the same error when trying to connect two GCP VPC via HA VPN Tunnels and the cause was that I was not providing the same shared key in the wizard.

When creating the tunnels, the wizard suggests a shared secret and, instead of adding the same one in both, I got the same error as you. Providing a consistent secret made the error dissapear.