[strongSwan] working example of GRE over IPSec when both VPN servers are behind NAT

[Florin Andrei]

I'm trying to figure out this scenario:

Two VPN servers (running some version of Red Hat Linux or a similar 
distro). Both are behind NAT (AWS instances with private IPs assigned to 
eth0, and public EIPs attached to them - so all their Internet traffic 
is NATed to the EIP addresses). I want to create an IPSec tunnel between 
these systems. Within IPSec, I want to create a GRE tunnel. I want to 
keep the IPSec configuration (especially routing) as simple as possible 
- just the minimum required for GRE. Through GRE, later on, I will do 
more complex routing (BGP, etc) - but that's phase 2, and I haven't 
figured out phase 1 yet (plain GRE through IPSec when the IPSec tunnel 
is NATed on both sides).

I could not find a single working example of this scenario anywhere. 
I've found some examples that assume there is no NAT between the VPN 
servers. Due to the way IPSec works, there are very substantial 
differences between NAT and non-NAT scenarios.

I've tried to build a test environment with GRE encapsulated in IPSec, 
as described above, but I can't make GRE work at all.

I've used strongSwan before, for site-to-site VPN with static routing, 
it was not hard to setup, and it worked great. But GRE tunnels in a 
fully NATed scenario seem a lot more difficult. Maybe I'm missing 
something obvious.

#############################

Speaking in general, when IPSec servers are behind NAT, everything 
becomes exponentially more complicated when setting up anything related 
to IPSec. A lot of tunnels - GRE, VTI, etc - assume certain facts about 
the IP at the other end of the tunnel, and NAT breaks all those 
assumptions. This is a major difficulty when you're trying to setup VPN 
and you're not familiar with very intricate details of IPSec and routing 
on Linux. Some examples of working configurations would be extremely 
helpful. But this is just a general observation.

-- 
Florin Andrei
http://florin.myip.org/