VPN NAT configuration

[Nick Halm]

I currently have a 3rd-party vendor connecting to us over a VPN to our collocation. I am trying to move that VPN to a Google Cloud Platform VPN. I can/have created a few VPNs to a project and that is all very simple.

My problem lies in the requirements of our 3rd-party vendor. They require that they send you traffic using the same IP as your VPN. For instance, if my VPN endpoint is 2.2.2.2/32 and the 3rd-party is 5.5.5.204/32. They expect to send me traffic to 2.2.2.2/32, to avoid overlapping CIDRs. I accept that traffic from the tunnel and use a desination NAT to route it to the correct place. In turn, I use a source NAT to route the traffic from a VLAN to the tunnel.

I am doing this using Juniper SRX and I understand the reason for the requirements. Before we put in the request for change we want to be able to prove we can duplicate our crrent setup, and so far I am not able to create this configuration in testing with GCP.

Is this possible at all? It seems that there isn't any destination NAT'ing at all. I have looked at Creating a static internal IP. I have looked at Protocol forwarding. Maybe protocol forwarding would work, but I don't see how if it does. I know that I am going to be receiving TCP traffic on a specific port. I am thinking that I could then create a target pool to forward that traffic to. I still have the problem that they will only be sending me traffic to an IP that is not in the network and I can't see how to get it over without a NAT.

As I see it now I need to create 2 tunnels and then use protocol forwarding to forward the traffic to a target pool with a health-check.  I'm still working at this, if I find an answer I will post it here.

[Faizan (Google Cloud Support)]

Hello Nick,

The NAT traversal is currently not supported by Cloud VPN. There is already an internal feature request open with the product engineering team. However, I will not be able to provide you with an estimated time frame for the availability.

With that said, if NAT traversal is one of your main requirements I would recommend setting up your own IPsec VPN gateway (e.g Straongswan or OpenVPN) on GCE instance. You can refer to this link where you can find the basic steps to configure Strongswan VPN on GCE.

I hope that helps.

Faizan

[Nick Halm]

Faizan,

I've tried the linked Strongswan configuration.  Unfortunately, this is just way to difficult if you cannot attach multiple NICs to a single VM.  I've decided to terminate VPNs in another cloud provider that provides the functionality for now and convert the traffic to HTTPS and SSL sockets to GCP.

Hopefully we will see multiple NICs in the near future.  Our biggest struggle with GCP has been network related issues.  What would be a huge improvement would be getting something like pfSense or any of the other commercial firewalls to act as a gateway to multiple subnets.  We are happy to pay for 3rd party solutions to solve problems like this, but again you need multiple NICs.

Thanks for your help.

[Faizan (Google Cloud Support)]

Hello Nick,

Thanks for your feedback, I'll pass it to the product engineering team.

Faizan

[Matthew Ulasien]

Is there any update to this request? I stumbled upon this thread after banging my head for several hours trying to connect Cloud VPN to a Meraki router behind a NAT, only to find it's not possible.

AWS has had this feature since 2015. I try to evangelize using GCP over other platforms, but it's kind of hard to do so when they're so behind on very basic features, like NAT traversal.

Is there any roadmap on when NAT traversal over Cloud VPN will be available?

[kinaro...@roamtech.com]

Hello Nick,Faizan and Mathew:

Did you find any ways of doing this on GCP? kind of having the same issue as Nick just that mine is slightly different. I am trying to establish a VPN from GCP to third party who prefers a public encryption domain from my end. So ideally i would have to NAT my Instances though a public IP. Bad news is that Nat traversal is currently not supported by GCP VPN. Any other ways of achieving this ?

[Flavio Castro]

Hello friend, really google is leaving to be desired, I have already questioned this protocol and simply said that there is still no provision to implement. I spent weeks trying to figure out why it did not work .. I had to migrate all my GW to AWS.

[Keikei Oreste Kinaro]

Thanks Flavio for the feedback,

I will try out AWS and see what I can do. Google should have this in place by now. Otherwise they are missing out.

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/02c4ea6c-fd70-4ef8-9ac1-226091cc32dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kind Regards,

[Germán (Google Cloud Support)]

You may read about our Google Cloud support for NAT- Traversal at [1] that allows clients behind NATs to communicate with each other. For information on to configure your on-premises device to support NAT-T with Cloud VPN, refer to [2]

[1]https://cloud.google.com/nat/docs/overview#nat_traversal

[2]https://cloud.google.com/vpn/docs/concepts/overview#udp_and_nat

[João Paulo Ferreira]

@all

Is there any update to this request? I stumbled upon this thread after banging my head for several hours trying to connect Cloud VPN, only to find it's not possible.

Is there any roadmap on when NAT traversal over Cloud VPN will be available?

[Md (Google Cloud Support)]

Hello João,

Cloud VPN supports connecting to a peer VPN gateway behind 1-to-1 NAT (NAT-T)[1]. One-to-many NAT and port-based address translation are not supported, because there's no way to separate the ESP traffic among multiple on-premises VPN gateways behind the NAT device. In other words, Cloud VPN cannot connect to multiple peer VPN gateways that share a single public IP address[2].

When using one-to-one NAT, The on-premises VPN gateway must be configured to identify itself using its public IP address(non-RFC 1918), not its internal private IP.

We have an internal feature request for One-to-many NAT and port-based address translation for GCP cloud VPN. Feature requests have no ETAs or guarantees of implementation. The product engineering team will verify the feasibility of the request and will take action accordingly. 

[1] https://cloud.google.com/vpn/docs/concepts/advanced#udp-encapsulation

[2]https://cloud.google.com/vpn/docs/support/troubleshooting#gateways_behind_nat