GRE over IPsec through NAT
I have been labbing some GRE over IPsec lately, and have a question I can't seem to find a good answer to. Reading around, I see here that Cisco states if you are doing GRE over IPsec you *must* use tunnel mode if a NAT device is in the middle. This seems to be echoed in a few books as well. The problem is, this is the exact opposite of what I am seeing in my lab
My setup is simple: Lo0:220.127.116.11---R1---R2---R3---Lo0:18.104.22.168 where R1 and R3 are establishing a GRE over IPsec tunnel between them using GRE tunnel interfaces. With no NAT involved at all, tunnel mode or transport mode work fine. If I introduce NAT, only transport mode works. Tunnel mode will fail at phase 2 negotiation. Specifically, what I am introducing at that point is a static NAT configured on R2 for R1.
When I write everything out and look at the packet structure, it makes perfect sense to me as to why transort mode works and tunnel mode does not. This is of course the exact opposite of what Cisco says in that design guide and in several books. What am I missing?