I would like to connect multiple separate NATted networks to a VPC Network using IPSec VPN. I do not fully understand the Google's documentation and I'm asking for some clarification here 🙂 The doc is here: https://cloud.google.com/vpn/docs/resources/troubleshooting#gateways_behind_nat
My setup is like this:
| net1 | --- | router1 | --- \
\ priv onprem pub
| net2 | --- | router2 | ---- | ---- | main_router NAT | ----------- >
/
| netN | --- | routerN | --- /
pub
> ----------- | Cloud VPN gateway(s) | --- | VPC Network |
I would like to have separate tunnels from each on-prem routerN to a Cloud VPC network, probably using N Cloud gateways. I do not fully understand if this is possible with the Cloud VPN. Could someone explain this a little? 🙂
router1 behind NAT <-- IPSec --> Cloud VPN gateway1
router2 behind NAT <-- IPSec --> Cloud VPN gateway2
...
Best Regards
Kamil
Best Answer
I managed to run multiple tunnels from behind a single public IP address using one Cloud VPN per device behind NAT.
Here is how:
router1,router2...on the schema) should advertise its authentication id as the public IP of the NAT router (main_router NAT), not its private address.And now the most important part: on the main NAT router set D-NAT rules that direct traffic from each Cloud VPN Gateway to the private IP of the device that established a specific tunnel. In other words, one have to set
NDNATrules forNtunnels. This way each initialIKEconversation from Cloud VPN can be delivered to the appropriaterouterN. Each subsequent traffic is caputer underESTABLISHED,RELATEDstanzas.I looked at rules counts, etc. on my routers and it works as I described above. The IPSec tunnel is a split tunnel, which means that the Cloud VPN Gateway will try to contact the address specified in the Gateway configuration -- which in our case is always the same public IP address of the
main_router NAT. Ourmain_router NATmust forward packets (based on the source IP address) from specific Gateways to specific internal routers.