In a nutshell, we're trying to stand up a Classic route based IPSec tunnel between GCP VPN and Zscaler's ZEN (Zscaler Enforcement Node). Thus far we've been unable to establish successful phase 2 handshake regardless of IKEv1 or v2 cipher used. After looking at logs provided by Zscaler support pulled from the ZEN (remote peer), it looks like it's having trouble with the generic proposal sent by our GCP cloud VPN peer. According to Zscaler's documentation; they support all default settings used by GCP VPN for both IKEv1 & v2 (encryption integrity, mode, hash, DH, and lifetime), although they do indicate preferential settings within their documentation. According to the response from Zscaler support, they require a separate subscription for phase 2 AES encryption. They've inquired about the possibility of us configuring the GCP cloud VPN peer to send a NULL phase 2 proposal, however there are no specific configurable options for either cipher type within GCP classic cloud VPN. Has anyone encountered a similar situation between Zscaler and GCP regarding IPSec negotiation, and do you have any recommendations aside from purchasing the phase 2 AES encryption service from Zscaler? Thanks in advance for any recommendations and/or insights you can provide!
Unable to establish IPSec tunnel between GCP VPN (Classic) and Zscaler ZEN (Zscaler Enforcement Node)
679 Views Asked by Christopher Landolfi At
1
There are 1 best solutions below
Related Questions in NETWORKING
- Contiki sensor data upload to ubidots.com
- Contiki - Run-time linking of a loadable module containing reference to another loadable module is possible?
- What does the following makefile command do? /no-symbols-control-file
- Contiki os: Rime + IPv6
- how to measure energy efficiency, latency and packet delivery ratio in contiki os?
- Contiki: Address of a thread having unrecognized value
- Using cc2530 radio with contiki
- Installation of a specific version from svn repository
- TelosB GPIO interrupts in Contiki
- Contiki Cooja not showing stats in collect view
Related Questions in GOOGLE-CLOUD-PLATFORM
- Contiki sensor data upload to ubidots.com
- Contiki - Run-time linking of a loadable module containing reference to another loadable module is possible?
- What does the following makefile command do? /no-symbols-control-file
- Contiki os: Rime + IPv6
- how to measure energy efficiency, latency and packet delivery ratio in contiki os?
- Contiki: Address of a thread having unrecognized value
- Using cc2530 radio with contiki
- Installation of a specific version from svn repository
- TelosB GPIO interrupts in Contiki
- Contiki Cooja not showing stats in collect view
Related Questions in VPN
- Contiki sensor data upload to ubidots.com
- Contiki - Run-time linking of a loadable module containing reference to another loadable module is possible?
- What does the following makefile command do? /no-symbols-control-file
- Contiki os: Rime + IPv6
- how to measure energy efficiency, latency and packet delivery ratio in contiki os?
- Contiki: Address of a thread having unrecognized value
- Using cc2530 radio with contiki
- Installation of a specific version from svn repository
- TelosB GPIO interrupts in Contiki
- Contiki Cooja not showing stats in collect view
Related Questions in IPSEC
- Contiki sensor data upload to ubidots.com
- Contiki - Run-time linking of a loadable module containing reference to another loadable module is possible?
- What does the following makefile command do? /no-symbols-control-file
- Contiki os: Rime + IPv6
- how to measure energy efficiency, latency and packet delivery ratio in contiki os?
- Contiki: Address of a thread having unrecognized value
- Using cc2530 radio with contiki
- Installation of a specific version from svn repository
- TelosB GPIO interrupts in Contiki
- Contiki Cooja not showing stats in collect view
Related Questions in ZSCALER
- Contiki sensor data upload to ubidots.com
- Contiki - Run-time linking of a loadable module containing reference to another loadable module is possible?
- What does the following makefile command do? /no-symbols-control-file
- Contiki os: Rime + IPv6
- how to measure energy efficiency, latency and packet delivery ratio in contiki os?
- Contiki: Address of a thread having unrecognized value
- Using cc2530 radio with contiki
- Installation of a specific version from svn repository
- TelosB GPIO interrupts in Contiki
- Contiki Cooja not showing stats in collect view
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Thanks again John for your insights and help! I suppose the answer was right there all along to begin with, and I simply refused to see it lol. It also led me to understand why our attempts to establish a tunnel using IKEv2 failed as well - GCP VPN sends their generic proposal, with the intention of conforming to cipher settings received from the remote peer. In situations where the remote peer utilizes a generic proposal as well, GCP VPN chooses a 'best fit' based on the hardware vendor ID sent by the remote peer. In this situation the Zscaler Enforcement Node (ZEN) remote peer responds with an unknown vendor ID which, possibly due to it being their own proprietary unregistered platform. If it's not inclusive to GCP VPN's list of known hardware vendor IDs, it explains why the GCP peer responds stating unidentified remote peer proposal.
Nonetheless, thanks again for all your help!