GRE over IPsec through NAT

jastorino

Hello,

I have been labbing some GRE over IPsec lately, and have a question I can't seem to find a good answer to. Reading around, I see here that Cisco states if you are doing GRE over IPsec you *must* use tunnel mode if a NAT device is in the middle. This seems to be echoed in a few books as well.  The problem is, this is the exact opposite of what I am seeing in my lab

 

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html

 

My setup is simple: Lo0:1.1.1.1---R1---R2---R3---Lo0:3.3.3.3 where R1 and R3 are establishing a GRE over IPsec tunnel between them using GRE tunnel interfaces.  With no NAT involved at all, tunnel mode or transport mode work fine.  If I introduce NAT, only transport mode works.  Tunnel mode will fail at phase 2 negotiation.  Specifically, what I am introducing at that point is a static NAT configured on R2 for R1. 

When I write everything out and look at the packet structure, it makes perfect sense to me as to why transort mode works and tunnel mode does not.  This is of course the exact opposite of what Cisco says in that design guide and in several books.  What am I missing?

 

jastorino

I labbed the crap out of this over the weekend and came to my own conclusions.  Hopefully, I'm not missing something else!

http://www.astorinonetworks.com/2017/04/01/gre-over-ipsec-and-static-nat/

[email protected]

Hi Joe,

i believe this happens because the nat device change on the fly the outer ip header of the packet but when the remote endpoint decapsulate the ESP packet it finds the originary pre-natted ip header. So it will complain.

NHRP by default allow to keep information about pre-natted ip addressing thus avoiding this problem but i can't understand why Cisco declares this. I could understand this if there was some hardware that could nat both packet header rather than only one once working in tunnel mode.