peer didn't accept DH group MODP_2048, it requested MODP_1024

3,416 views
Skip to first unread message

Bima Janur

unread,
May 2, 2019, 1:21:27 PM5/2/19
to gce-discussion
Hi, hope somebody can help me, I am trying to set up a VPN between Google CLoud VPN and Palo Alto. Any help will be appreciated. Here is my log:
 
D  remote host is behind NAT 
D  authentication of '35.xxx.xxx.xxx' (myself) with pre-shared key 
I  establishing CHILD_SA vpn_103.xxx.xxx.xxx 
D  generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ] 
D  sending packet: from 35.xxx.xxx.xxx[4500] to 103.xxx.xxx.xxx[4500] (416 bytes) 
D  received packet: from 103.xxx.xxx.xxx[4500] to 35.xxx.xxx.xxx[4500] (80 bytes) 
D  parsed IKE_AUTH response 1 [ N(NO_PROP) ] 
D  IDr payload missing 
D  generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] 
D  sending packet: from 35.xxx.xxx.xxx[4500] to 103.xxx.xxx.xxx[4500] (80 bytes) 
D  creating acquire job for policy with reqid {1} 
I  initiating IKE_SA vpn_103.xxx.xxx.xxx[159] to 103.xxx.xxx.xxx 
D  generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] 
D  sending packet: from 35.xxx.xxx.xxx[500] to 103.xxx.xxx.xxx[500] (892 bytes) 
D  received packet: from 103.xxx.xxx.xxx[500] to 35.xxx.xxx.xxx[500] (38 bytes) 
D  parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] 
D  peer didn't accept DH group MODP_2048, it requested MODP_1024 
I  initiating IKE_SA vpn_103.xxx.xxx.xxx[159] to 103.xxx.xxx.xxx 
D  generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] 
D  sending packet: from 35.xxx.xxx.xxx[500] to 103.xxx.xxx.xxx[500] (764 bytes) 
D  received packet: from 103.xxx.xxx.xxx[500] to 35.xxx.xxx.xxx[500] (304 bytes) 
D  parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
D  remote host is behind NAT 
 
I noticed error: "peer didn't accept DH group MODP_2048, it requested MODP_1024"
My peer device (Palo Alto) has Group 2 (MODP_1024). My question is, How to set DH Group in GCP to Group 2 (MODP_1024)?

Germán (Google Cloud Support)

unread,
May 9, 2019, 3:50:28 PM5/9/19
to gce-discussion
Hello,

The error you are receiving 'peer didn't accept DH group MODP_2048, it requested MODP_1024'  means that your peer refused our proposal to use DH group 14 and request group 2 instead, which we then use in the proposal, but don't get a response after 5 attempts. 

The next step is to check on your gateway logs if your side is seeing the attempts with DH group 2 for the IKE negotiation.

For Palo Alto devices, you may follow the guide at [1] for configuration.

[1]https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithPaloAltoNetworksPA-3020.pdf
Reply all
Reply to author
Forward
0 new messages