Unanswered Question
Apr 10th, 2009
User Badges:


Presently use a GRE tunnel between Router A at client A and router B at HQ. This tunnel allows a crypto device behind each router to establish their own IPSEC tunnel accross the GRE tunnel. The restriction with this setup is that the Router at Client A needs to be directly connected to the ISP demarcation point and thus have an Internet routable ip configured on

it's WAN interface.This allows the cryto devices to keep their private ip addreses. Works great this way.

Note: the router at HQ is already directly connected to the ISP demarcation, so no issue there.


Not all clients have their ISP demarcation point directly connected to the client router that the crypto device behind connects to. We are required to go through the client's existing network, therefore that router where the WAN interface was configured with an Internet routable ip address will need a private ip address configured instead that would need to be nat'd. Tried establishing that same GRE tunnel but when using NAT and that did not work. Have the following questions.

The crypto devices at each end originally were able to use their private ip addresses when using the GRE tunnel, will I need to NAT those ip addresses.If so will the router that is directly connected to the crypto device need to perform nat for those crypto devices.

Also, the router at the client where the crypto device connects to, will it also need a private ip address for it's WAN

interface to be nated and would the nat take place on the client's departmental internet facing router?

I'm sure this has been done before, establishing an IPsec tunnel between a private network via another private network. In a nutshell, just trying to get those crypto devices to form their IPSEC tunnel with one connected behind a client's existing private network. It would be easy to maintain the GRE solution, but like I mentionned , does not work when NAT is involved.

I have attached a diagram for illustration purposes. In that diagram would I, under the proposed drawing, establish the first IPSEC tunnel between router B and C or between Router B and A? The other IPsec tunnel between the Crypto device are automatically setup, as long as there is connectivity between the two sites.

Any examples that mirror what I am looking for?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion