Context:
I'm running a set of instances within the Google Compute environment. Each host has a single interface with single ip in the 10.0.0.0 private range.
I have external customers who require connectivity to these instances over a VPN connection. Due to their size however, these customers require a unique "real" ip address as the target. (To avoid the risk of having multiple clients with the same private address.) Before moving to Google we were able to hairpin these connections into our internal network using a Cisco ASA and virtual public interfaces but the static external addresses that attach to GCE instances can't be hairpinned using the Google VPN/Routing tools so that's not an option. (I've confirmed this with Google Support.)
Proposed Solution:
I've reserved a static address in the GCE environment (Let's call it 5.x.x.x)
Within the GCE environment, I have an Openswan box that can route into the internal network over an ipsec connection from a remote ASA. I'm able to ping hosts within the private GCE network from that remote network. (when 10.0.0.0/16 is configured as the target)
The goal now is to change the target for the VPN configuration to the 5.x.x.x address, then have that target translated by iptables on the GCE Openswan box to point to a specific ip address (10.x.x.x) on the private network. I've configured iptables such that pings to the 5.x.x.x address translate correctly on the Openswan box itself but so far I haven't had any luck having this work for hosts behind the ASA.
Iptables looks like this:
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere x.x.x.5.bc.googleusercontent.com to:10.x.x.x
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere x.x.x.5.bc.googleusercontent.com to:10.x.x.x
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Any help would be hugely appreciated. This was a problem we didn't anticipate when we moved to Google but it's one I suspect will impact many larger customers down the line. We're hoping they'll eventually offer a solution but in the meantime this is what we've got.