It turns out getting
libreswan to play nicely with Google Cloud VPN (Classic) is much harder than it needs to be. There are various Medium and mailing list posts about this, but none of the solutions actually survive a rekey. So here's what works.
# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.7 (Maipo)
# rpm -q libreswan libreswan-3.25-220.127.116.11.el7_7.x86_64
[OUR PUBLIC IP] [GCP TUNNEL IP] : PSK "MYPRESHAREDSECRETHERE"
conn gcp left=[OUR PUBLIC IP] leftsubnet=[OUR PRIVATE NETWORK]/24 leftsourceip=[OUR PRIVATE IP] right=[GCP TUNNEL IP] rightsubnet=10.240.0.0/16 auto=start authby=secret ikev2=insist ike=aes_gcm_c-256-sha2_512;modp4096 ikelifetime=10h phase2alg=aes_gcm_c-256-null;modp8192 lifetime=3h keyingtries=%forever dpddelay=15 dpdtimeout=30 dpdaction=restart