Zscaler no longer supports 3DES for IPSec encryption, as documented in the 5.4 Late-July Patch Release Notes.
Zscaler recommends that you use null encryption (as described in these configuration guides) for your IPSec tunnels to the Zscaler service. Traffic sent to the Internet does not require additional encryption. Sensitive content is currently encrypted using TLS between the client and the destination server.
If you must encrypt traffic using IPSec (for regulatory or compliance reasons), and you have the appropriate entitlement, use AES encryption.
If you need help changing your configuration or if you have additional questions or concerns, contact Zscaler Technical Support via the Support link in the Admin Portal.