I currently have a 3rd-party vendor connecting to us over a VPN to our collocation. I am trying to move that VPN to a Google Cloud Platform VPN. I can/have created a few VPNs to a project and that is all very simple.
My problem lies in the requirements of our 3rd-party vendor. They require that they send you traffic using the same IP as your VPN. For instance, if my VPN endpoint is 2.2.2.2/32
and the 3rd-party is 5.5.5.204/32
. They expect to send me traffic to 2.2.2.2/32
, to avoid overlapping CIDRs. I accept that traffic from the tunnel and use a desination NAT to route it to the correct place. In turn, I use a source NAT to route the traffic from a VLAN to the tunnel.
I am doing this using Juniper SRX and I understand the reason for the requirements. Before we put in the request for change we want to be able to prove we can duplicate our crrent setup, and so far I am not able to create this configuration in testing with GCP.
Is this possible at all? It seems that there isn't any destination NAT'ing at all. I have looked at Creating a static internal IP. I have looked at Protocol forwarding. Maybe protocol forwarding would work, but I don't see how if it does. I know that I am going to be receiving TCP traffic on a specific port. I am thinking that I could then create a target pool to forward that traffic to. I still have the problem that they will only be sending me traffic to an IP that is not in the network and I can't see how to get it over without a NAT.
--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/02c4ea6c-fd70-4ef8-9ac1-226091cc32dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hello João,
Cloud VPN supports connecting to a peer VPN gateway behind 1-to-1 NAT (NAT-T)[1]. One-to-many NAT and port-based address translation are not supported, because there's no way to separate the ESP traffic among multiple on-premises VPN gateways behind the NAT device. In other words, Cloud VPN cannot connect to multiple peer VPN gateways that share a single public IP address[2].
When using one-to-one NAT, The on-premises VPN gateway must be configured to identify itself using its public IP address(non-RFC 1918), not its internal private IP.
We have an internal feature request for One-to-many NAT and port-based address translation for GCP cloud VPN. Feature requests have no ETAs or guarantees of implementation. The product engineering team will verify the feasibility of the request and will take action accordingly.
[1] https://cloud.google.com/vpn/docs/concepts/advanced#udp-encapsulation
[2]https://cloud.google.com/vpn/docs/support/troubleshooting#gateways_behind_nat