IPSec Tunnel help with GCP to ZScaler

In a nutshell, we’re trying to stand up a Classic route based IPSec tunnel between GCP VPN and Zscaler’s ZEN (Zscaler Enforcement Node). Thus far we’ve been unable to establish successful phase 2 handshake regardless of IKEv1 or v2 cipher used. After looking at logs provided by Zscaler support pulled from the ZEN (remote peer), it looks like it’s having trouble with the generic proposal sent by our GCP cloud VPN peer. According to Zscaler’s documentation; they support all default settings used by GCP VPN for both IKEv1 & v2 (encryption integrity, mode, hash, DH, and lifetime), although they do indicate preferential settings within their documentation. According to the response from Zscaler support, they require a separate subscription for phase 2 AES encryption. They’ve inquired about the possibility of us configuring the GCP cloud VPN peer to send a NULL phase 2 proposal, however there are no specific configurable options for either cipher type within GCP classic cloud VPN. Has anyone encountered a similar situation between Zscaler and GCP regarding IPSec negotiation, and do you have any recommendations aside from purchasing the phase 2 AES encryption service from Zscaler? Thanks in advance for any recommendations and/or insights you can provide!

Hi Chris - If GCP doesn’t support encrypted phase 2 and your only option is null without the encrypted IPSEC add-on, I don’t see any Zscaler or GCP configuration alternative. You could use a third-party option like Maidenhead (https://www.maidenheadbridge.com/), that may support the encrypted phase 2 setup to GCP, but that may end up a higher cost than just tacking on the encrypted tunnel subscription to your ZIA subscription. I’d suggest the going with the encryption add-on or going with GRE if that’s supported by GCP VPN.

So just out of curiosity, why Zscaler to GCP VPN in the first place as opposed to just using Zscaler Private Access to get to applications in GCP? If you already have ZIA, the Zscaler Client Connector is included, the whole issue of building static tunnels to GCP is alleviated, and you no longer expose the access to the world like the classic VPN does. If it’s clients in GCP that need protection, why not a Service Edge VM in GCP and not need the IPSEC tunnel to ZEN.