It turns out getting libreswan to play nicely with Google Cloud VPN (Classic) is much harder than it needs to be. There are various Medium and mailing list posts about this, but none of the solutions actually survive a rekey. So here's what works.
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 (Maipo)
# rpm -q libreswan
libreswan-3.25-8.1.0.1.el7_7.x86_64
/etc/ipsec.d/gcp.secrets
[OUR PUBLIC IP] [GCP TUNNEL IP] : PSK "MYPRESHAREDSECRETHERE"
/etc/ipsec.d/gcp.conf
conn gcp
left=[OUR PUBLIC IP]
leftsubnet=[OUR PRIVATE NETWORK]/24
leftsourceip=[OUR PRIVATE IP]
right=[GCP TUNNEL IP]
rightsubnet=[GCP PRIVATE NETWORK]/16
auto=start
authby=secret
ikev2=insist
ike=aes_gcm_c-256-sha2_512;modp4096
ikelifetime=10h
phase2alg=aes_gcm_c-256-null;modp8192
lifetime=3h
keyingtries=%forever
dpddelay=15
dpdtimeout=30
dpdaction=restart