VPN connection on Google Compute Engine

Solution 1:

Looks like you're running into an issue outlined in the vpn documentation:

Security associations and multiple subnets

Cloud VPN creates a single child security association (SA) announcing all CIDR blocks associated with the tunnel. Some IKEv2 peer devices support this behavior, and some only support creating a unique child SA for each CIDR block. With these latter devices, tunnels with multiple CIDR blocks can fail to establish.

There are several workarounds for this issue:

1. Use Cloud Router to create BGP-negotiated routes. With this configuration, the CIDRs are not negotiated in the IKE protocol.
2. Configure the peer device to have several CIDRs in the same child SA. Only some devices support this, and it is only possible in IKEv2.
3. If possible, aggregate the CIDRs into a single, larger CIDR.
4. Create a separate tunnel for each CIDR block. If necessary, you can create several VPN gateways for this purpose.

I ran into the same issue pretty recently trying to connect to a peer with 2 single /32 IP addresses for the remote network. I was able merge the 2 IPs into a single /31 CIDR block and that worked.

That being said, with two /24s and one /32 I don't know if merging them into a single CIDR block is realistic. You're already doing option 4 as a workaround. If you're using IKEv1, barring anything with Cloud Router (which just recently went from Alpha to Beta) this might be as good as you can do for now.