In a nutshell, we're trying to stand up a Classic route based IPSec tunnel between GCP VPN and Zscaler's ZEN (Zscaler Enforcement Node). Thus far we've been unable to establish successful phase 2 handshake regardless of IKEv1 or v2 cipher used. After looking at logs provided by Zscaler support pulled from the ZEN (remote peer), it looks like it's having trouble with the generic proposal sent by our GCP cloud VPN peer. According to Zscaler's documentation; they support all default settings used by GCP VPN for both IKEv1 & v2 (encryption integrity, mode, hash, DH, and lifetime), although they do indicate preferential settings within their documentation. According to the response from Zscaler support, they require a separate subscription for phase 2 AES encryption. They've inquired about the possibility of us configuring the GCP cloud VPN peer to send a NULL phase 2 proposal, however there are no specific configurable options for either cipher type within GCP classic cloud VPN. Has anyone encountered a similar situation between Zscaler and GCP regarding IPSec negotiation, and do you have any recommendations aside from purchasing the phase 2 AES encryption service from Zscaler? Thanks in advance for any recommendations and/or insights you can provide!
Unable to establish IPSec tunnel between GCP VPN (Classic) and Zscaler ZEN (Zscaler Enforcement Node)
718 views Asked by Christopher Landolfi At
1
There are 1 answers
Related Questions in NETWORKING
- How to avoid duplicates with the pull-based subscribe model?
- How to simulate CSMA/CD protocol in ns3?
- Network System - Cisco Packet Tracer
- Adhoc / mesh network not working (with and without batman-adv)
- Algorithm for finding a subset of nodes in a weighted connected graph such that the distance between any pair nodes are under a postive number?
- Python Client-Server Communication with Protocol
- I registered a service in eureka which is resolving through java code. But it is not able to resolve its name when hitting through chrome or postman
- Share files from the server without data or internet usage
- Player names not synchronizing in unity Mirror Networking
- My phone can not visit the server on macos in the same local network
- Unable to ping remote websites from an ipV6 only ubuntu ec2 Instance
- Linux Networking - Routing packets from one network interface to another
- wrong output from Supernetting algorithm
- Mapping localhost port on host to docker container
- Microsoft Message Analyzer disable resolving IP address to their domain names a.k.a turn off AutoIP feature
Related Questions in GOOGLE-CLOUD-PLATFORM
- Why do I need to wait to reaccess to Firestore database even though it has already done before?
- Unable to call datastore using GCP service account key json
- Troubleshooting Airflow Task Failures: Slack Notification Timeout
- GoogleCloud Error: Not Found The requested URL was not found on this server
- Kubernetes cluster on GCE connection refused error
- Best way to upload images to Google Cloud Storage?
- Permission 'storage.buckets.get' denied on resource (or it may not exist)
- Google Datastream errors on larger MySQL tables
- Can anyone explain the output of apache-beam streaming pipeline with Fixed Window of 60 seconds?
- Parametrizing backend in terraform on gcp
- Nonsense error using a Python Google Cloud Function
- Unable to deploy to GAE from Github Actions
- Assigned A record for Subdomain in Cloud DNS to Compute Engine VM instance but not propagated/resolved yet
- Task failure in DataprocCreateClusterOperator when i add metadata
- How can I get the long running operation with google.api_core.operations_v1.AbstractOperationsClient
Related Questions in VPN
- Docker container does not find System Daemon of nordvpn after reboot
- how to fix PF on M3?
- I'd like to install and configure the 'Checkpoint VPN' on Linux Mint. How can I do that?
- Unable to correctly configure StrongSwan with site-to-site connection and road warrior
- SSHD fails on reboot when restricting it over VPN
- How to share a hotspot VPN from Android to PC (Windows)?
- VPN versus Azure Virtual desktop - Which is secured to access the server, application and personal data
- How to connect docker container to vpn site to site
- Connect to a specific country using Psiphon vpn from Command line
- To allow IPsec NAT-T traffic to pass through, why does the firewall still need to permit ESP when it already allows UDP 4500?
- Connect to VLESS (VPN protocol) ic C# on Android
- Connect to Outline VPN ic C# on Android
- Issue with wg-easy VPN service and setting up auto reboot using Powershell script on Automation Accounts
- Accessing Self-Hosted Visual Studio Code Server via ZeroTier VPN
- Turn off connectivity checks on android. Error with adb
Related Questions in IPSEC
- Unable to correctly configure StrongSwan with site-to-site connection and road warrior
- To allow IPsec NAT-T traffic to pass through, why does the firewall still need to permit ESP when it already allows UDP 4500?
- Need IPSEC Pcap format for AH next header with TCP/UDP
- How to check logs for IPsec through windows defender firewall
- StrongSwan IPSec VPN - IKEv2 - LetsEncrypt Certificate Issue (building CRED_PRIVATE_KEY - RSA failed, tried 10 builders)
- Unable to reach network 172.16.0.0/24 from containers on an external node with an IPsec tunnel to vCloud Director
- IPSec What is IKE Phase 2 brining?
- Understanding a Fortigate IPSEC packet flow
- Strongswan log file can not be created
- Forwarding FTP port on IP-SEC server to another FTP server
- Ip xfrm state command displays key information, which may cause information leakage. Is there any way to prevent users from viewing key information?
- when does nat_t_detected value comes as false in AWS site to site VPN tunnels logs
- Cisco/AWS IKEv2/IPSEC Site-to-Site VPN: Received an IKE msg id outside supported window
- Cannot establish a connection using StrongSwan: "no config named"
- xfrm state encap espinudp: caputure espinudp package but xfrm not work
Related Questions in ZSCALER
- Debian OpenSSL zscaler issue php
- SSL certificate problem: unable to get local issuer certificate: zscaler
- SSL Error while installing Rust with curl and sh in network with custom SSL Provider
- Cannot attach an existing OS disk if the VM is created from a platform, user or a shared galley image Azure
- Office add-in sometimes won't load and instead opens webpage
- Cannot build docker image with Zscaler
- ServiceUnavailable: 503 failed. Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
- Configure OWASP ZAP and ZScaler
- File not getting uploaded to server request is resulting in 502 Bad Gateway
- Zscaler Client Connector Exit Password
- Running Unity Hub behind the proxy
- Android studio / Unable to launch test App in emulator due to VPN (zscaler)
- zScaler proxy: ZAP Error [java.net.SocketException]: Connection reset
- Android Emulator internet connectivity issue
- podman build fails with SSL routines:tls_post_process_server_certificate:certificate verify failed
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Thanks again John for your insights and help! I suppose the answer was right there all along to begin with, and I simply refused to see it lol. It also led me to understand why our attempts to establish a tunnel using IKEv2 failed as well - GCP VPN sends their generic proposal, with the intention of conforming to cipher settings received from the remote peer. In situations where the remote peer utilizes a generic proposal as well, GCP VPN chooses a 'best fit' based on the hardware vendor ID sent by the remote peer. In this situation the Zscaler Enforcement Node (ZEN) remote peer responds with an unknown vendor ID which, possibly due to it being their own proprietary unregistered platform. If it's not inclusive to GCP VPN's list of known hardware vendor IDs, it explains why the GCP peer responds stating unidentified remote peer proposal.
Nonetheless, thanks again for all your help!