I would like to connect multiple separate NATted networks to a VPC Network using IPSec VPN. I do not fully understand the Google's documentation and I'm asking for some clarification here 🙂 The doc is here: https://cloud.google.com/vpn/docs/resources/troubleshooting#gateways_behind_nat
My setup is like this:
| net1 | --- | router1 | --- \
\ priv onprem pub
| net2 | --- | router2 | ---- | ---- | main_router NAT | ----------- >
/
| netN | --- | routerN | --- /
pub
> ----------- | Cloud VPN gateway(s) | --- | VPC Network |
I would like to have separate tunnels from each on-prem routerN
to a Cloud VPC network, probably using N
Cloud gateways. I do not fully understand if this is possible with the Cloud VPN. Could someone explain this a little? 🙂
router1 behind NAT <-- IPSec --> Cloud VPN gateway1
router2 behind NAT <-- IPSec --> Cloud VPN gateway2
...
Best Regards
Kamil
Best Answer
I managed to run multiple tunnels from behind a single public IP address using one Cloud VPN per device behind NAT.
Here is how:
router1
,router2
...
on the schema) should advertise its authentication id as the public IP of the NAT router (main_router NAT
), not its private address.And now the most important part: on the main NAT router set D-NAT rules that direct traffic from each Cloud VPN Gateway to the private IP of the device that established a specific tunnel. In other words, one have to set
N
DNAT
rules forN
tunnels. This way each initialIKE
conversation from Cloud VPN can be delivered to the appropriaterouterN
. Each subsequent traffic is caputer underESTABLISHED,RELATED
stanzas.I looked at rules counts, etc. on my routers and it works as I described above. The IPSec tunnel is a split tunnel, which means that the Cloud VPN Gateway will try to contact the address specified in the Gateway configuration -- which in our case is always the same public IP address of the
main_router NAT
. Ourmain_router NAT
must forward packets (based on the source IP address) from specific Gateways to specific internal routers.