Cloud VPN & Huawei Firewall - Connection terminates after phase one

Hi everyone,

I have the below situation with a classic VPN tunnel:

I have a VPN tunnel with a Huawei Firewall, using the Cloud VPN service.

The peer is able to establish phase 1 connection but would not proceed to phase 2.

Which DH group & Encryption does classic VPN tunnel supports and are there any mismatch in the config.

Below is the log with the error:

DEBUG 2023-10-19T14:27:37.767838798Z sending packet: from xx.90.xxx.214[500] to 41.xxx.16.xxx[500] (76 bytes)
DEBUG 2023-10-19T14:27:40.581971465Z creating acquire job for policy with reqid {1}
NOTICE 2023-10-19T14:27:40.582115706Z establishing CHILD_SA vpn_41.xxx.16.xxx{3077} reqid 1
DEBUG 2023-10-19T14:27:40.587696505Z generating CREATE_CHILD_SA request 44 [ SA No KE TSi TSr ]
DEBUG 2023-10-19T14:27:40.588592265Z sending packet: from xx.90.xxx.214[500] to 41.xxx.16.xxx[500] (812 bytes)
DEBUG 2023-10-19T14:27:40.694002898Z received packet: from 41.xxx.16.xxx[500] to xx.90.166.xxx[500] (76 bytes)
DEBUG 2023-10-19T14:27:40.694082781Z parsed CREATE_CHILD_SA response 44 [ N(TS_UNACCEPT) ]
DEBUG 2023-10-19T14:27:40.694105244Z received TS_UNACCEPTABLE notify, no CHILD_SA built
DEBUG 2023-10-19T14:27:40.694109465Z failed to establish CHILD_SA, keeping IKE_SA

Screenshot 2023-10-20 at 16.57.02.png1760×1404 140 KB

Screenshot 2023-10-20 at 17.06.55.png570×1346 331 KB

Hi,

Based on the logs. The “failed to establish CHILD_SA, keeping IKE_SA” error message has an algorithm mismatch. I believe what you have posted is the logs from your huawei environment. I suggest it will be better if you post the logs from your GCP logs since this is a Google Community wherein most of the users are more knowledgeable in google services.

Since I suspect that it was an algorithm mismatch most probably the logs you can get in your GCP environment is “establishing IKE_SA failed, peer not responding”. To resolve this concern please check the supported IKE ciphers from Cloud VPN. Make sure that you configure the Huawei VPN IKE ciphers that are compatible with the supported IKE ciphers of Cloud VPN.

Please note that you cannot modify the IKE ciphers of Cloud VPN.

[1]https://cloud.google.com/network-connectivity/docs/vpn/concepts/supported-ike-ciphers

Hello,

Thank you for your response.

The log I posted was from GCP logs and the configuration as suggested at the Huawai Firewall could not work with ip range, hence i was getting IP mismatch in the status.

This was adjusted and VPN connection is now established.

Screenshot 2023-10-27 at 16.45.40.png1126×374 38.7 KB

However, I am unable to ping/telnet the host at the other sites end.