Google Distributed Cloud (GDC) 오프라인 VPN은 피어 VPN 게이트웨이에 대해 다음과 같은 암호화 및 구성 매개변수를 지원합니다.
제안 순서
GDC VPN은 새 보안 연결 (SA)이 필요할 때 트래픽의 출처에 따라 IKE 요청의 개시자 또는 응답자 역할을 수행할 수 있습니다.
GDC VPN이 VPN 연결을 시작하면 GDC VPN에서 각 암호화 역할의 지원되는 암호화 테이블에 표시된 순서대로 알고리즘을 제안합니다. 제안을 수신하는 피어 VPN 게이트웨이가 알고리즘을 선택합니다.
피어 VPN 게이트웨이가 연결을 시작하면 GDC VPN에서 각 암호화 역할의 테이블에 표시된 순서를 사용하여 제안에서 암호화를 선택합니다.
개시자 또는 응답자 측에 따라 선택된 암호화가 다를 수 있습니다. 예를 들어 시간이 지나 키 순환 중에 새 보안 연결 (SA)이 생성되면 선택된 암호화가 변경될 수도 있습니다.
암호화 선택이 자주 변경되지 않도록 암호화 역할당 하나의 암호화만 제안하고 수락하도록 피어 VPN 게이트웨이를 구성합니다. 이 암호화는 GDC 오프라인 VPN과 피어 VPN 게이트웨이에서 모두 지원되어야 합니다. 각 암호화 역할의 암호화 목록을 제공하지 마세요. 이 권장사항을 따르면 IKE 협상 중에 GDC 에어 갭 VPN 터널 양측에서 항상 동일한 IKE 암호화를 선택합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eGoogle Distributed Cloud (GDC) air-gapped VPN supports specific ciphers for peer VPN gateways and can act as either an initiator or responder for IKE requests based on traffic origin.\u003c/p\u003e\n"],["\u003cp\u003eTo maintain consistent cipher selection, peer VPN gateways should be configured to propose and accept only one cipher per role, ensuring both sides use the same IKE cipher during negotiation.\u003c/p\u003e\n"],["\u003cp\u003eEnabling IKE fragmentation on the peer VPN gateway is recommended to prevent the dropping of large IKE packets, although certain messages like \u003ccode\u003eIKE_SA_INIT\u003c/code\u003e and \u003ccode\u003eIKE_SESSION_RESUME\u003c/code\u003e cannot be fragmented.\u003c/p\u003e\n"],["\u003cp\u003eThe supported cipher tables outline the rules for encryption, integrity, pseudo-random functions, and Diffie-Hellman groups for both Phase 1 and Phase 2 of the VPN setup, including their respective lifetimes.\u003c/p\u003e\n"],["\u003cp\u003eFor IKE configuration, GDC VPN tunnels must use IKE v2 for IPv6 traffic, and various parameters such as IPsec Mode, Auth Protocol, Shared Secret, PFS, DPD, and Traffic Selectors need to be configured appropriately.\u003c/p\u003e\n"]]],[],null,["# Supported IKE ciphers\n\nGoogle Distributed Cloud (GDC) air-gapped VPN supports the following ciphers and configuration parameters\nfor peer VPN gateways.\n\nProposal order\n--------------\n\nGDC VPN can act as an initiator or a responder to IKE requests\ndepending on the origin of traffic when a new security association (SA) is\nneeded.\n\nWhen GDC VPN initiates a VPN connection, GDC VPN proposes\nthe algorithms in the order shown in the supported cipher tables for each cipher\nrole. The peer VPN gateway receiving the proposal selects an algorithm.\n\nIf the peer VPN gateway initiates the connection, then GDC VPN\nselects a cipher from the proposal by using the same order shown in the table\nfor each cipher role.\n\nDepending on which side is the initiator or the responder, the selected cipher\ncan be different. For example, the selected cipher might even change over time\nas new security associations (SAs) are created during key rotation.\n\nTo prevent frequent changes in cipher selection, configure your peer VPN\ngateway to propose and accept only one cipher for each cipher role. This cipher\nmust be supported by both GDC air-gapped VPN and your peer VPN gateway. Don't\nprovide a list of ciphers for each cipher role. This best practice ensures that\nboth sides of your GDC air-gapped VPN tunnel always select the same IKE cipher\nduring IKE negotiation.\n\nIKE fragmentation\n-----------------\n\nGDC VPN supports IKE fragmentation as described by the IKEv2 fragmentation\nprotocol: \u003chttps://www.rfc-editor.org/rfc/rfc7383\u003e.\n\nFor best results, Google recommends that you enable IKE fragmentation, if it is\nnot already enabled, on your peer VPN gateway.\n\nIf you don't have IKE fragmentation enabled, IKE packets from GDC to\nthe peer VPN gateway that are larger than the gateway MTU are dropped.\n\nSome IKE messages can't be fragmented, including the following messages:\n\n- `IKE_SA_INIT`\n- `IKE_SESSION_RESUME`\n\nFor more information, see the Limitations section in \u003chttps://www.rfc-editor.org/rfc/rfc7383\u003e.\n\nSupported cipher tables\n-----------------------\n\nThese supported cipher tables provide the rules for substituting characters or\ngroups of characters during the encryption and decryption processes:\n\n### Phase 1\n\n### Phase 2\n\nConfigure IKE\n-------------\n\nYou can configure IKE on your peer VPN gateway for dynamic, route-based, and\npolicy-based routing.\n\nGDC VPN tunnels must use IKE v2 to support IPv6 traffic.\n\nTo configure the peer VPN gateway and tunnel for IKE, use the parameters in the\nfollowing table:\n\n**For IKEv1 and IKEv2**\n\n**Additional parameters for IKEv1 only**"]]