stackoom
  简体   繁体   中英

Unable to establish IPSec tunnel between GCP VPN (Classic) and Zscaler ZEN (Zscaler Enforcement Node)

 原文  2020-08-03 20:02:29       networking/ google-cloud-platform/ vpn/ ipsec/ zscaler

Question

In a nutshell, we're trying to stand up a Classic route based IPSec tunnel between GCP VPN and Zscaler's ZEN (Zscaler Enforcement Node). Thus far we've been unable to establish successful phase 2 handshake regardless of IKEv1 or v2 cipher used. After looking at logs provided by Zscaler support pulled from the ZEN (remote peer), it looks like it's having trouble with the generic proposal sent by our GCP cloud VPN peer. According to Zscaler's documentation; they support all default settings used by GCP VPN for both IKEv1 & v2 (encryption integrity, mode, hash, DH, and lifetime), although they do indicate preferential settings within their documentation. According to the response from Zscaler support, they require a separate subscription for phase 2 AES encryption. They've inquired about the possibility of us configuring the GCP cloud VPN peer to send a NULL phase 2 proposal, however there are no specific configurable options for either cipher type within GCP classic cloud VPN. Has anyone encountered a similar situation between Zscaler and GCP regarding IPSec negotiation, and do you have any recommendations aside from purchasing the phase 2 AES encryption service from Zscaler? Thanks in advance for any recommendations and/or insights you can provide!

1 answers

solution1
 0  2020-08-05 19:50:34

Thanks again John for your insights and help, I suppose the answer was right there all along to begin with. and I simply refused to see it lol, It also led me to understand why our attempts to establish a tunnel using IKEv2 failed as well - GCP VPN sends their generic proposal. with the intention of conforming to cipher settings received from the remote peer, In situations where the remote peer utilizes a generic proposal as well. GCP VPN chooses a 'best fit' based on the hardware vendor ID sent by the remote peer, In this situation the Zscaler Enforcement Node (ZEN) remote peer responds with an unknown vendor ID which. possibly due to it being their own proprietary unregistered platform, If it's not inclusive to GCP VPN's list of known hardware vendor IDs. it explains why the GCP peer responds stating unidentified remote peer proposal.

N.netheless, thanks again for all your help!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot create a classic route based VPN tunnel with Terraform in GCP How can i make VPN Tunnel Between GCP Cloud VPN and my PC ubuntu? Authenticatication issue while setting up a tunnel between GCP VPN and Cisco ASA Check that VM on GCP is connecting to GCP VPN Gateway How to connect aws vpc and gcp bigquery with vpn? Setup a GRE tunnel with dedicated IP in GCP VPS instance, CentOS7 GCP Load Balancing (non classic) - URL rewrite Terraform - GCP adding IP section on google_compute_vpn_gateway Is there a way to connect my GCP network with a corporate VPN Server? Unable to Migrate GCP Project
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM