You should do as expected for other protocols: put only public IPs for remotes.
Example:
left
: 192.0.2.10
NAT system: 198.51.100.20 / 192.168.0.1
right
(behind NAT): 192.168.0.30
(And eg you're setting up tunnel's IPs for left
10.10.10.1/24 and right
10.10.10.2/24, it doesn't matter here)
You need to tell the left
router that the remote
is 198.51.100.20, while for the right
router, the remote
is 192.0.2.10.
Now the caveat: it really depends on settings on the NAT system in case it's running Linux.
If this NAT system is also Linux,
- It must of course at least do SNAT/MASQUERADE for
right
for protocol gre (47) in case it doesn't have a generic rule (but see later),
- while NAT for usual protocols usually pulls the related conntrack modules automatically, this doesn't happen for GRE. You have to manually do
modprobe nf_conntrack_proto_gre
, or no NAT will happen, and the tunnel won't work. Strangely, from tests, nf_nat_proto_gre
doesn't seem needed (nor is enough alone).
- If there is no equivalent
DNAT
to the SNAT/MASQUERADE
, then only right
should initiate traffic to left
. If left
sends traffic to right
(actually to the NAT system) after inactivity, this won't work, and the conntrack entry might prevent for up to 30s (after end of attempts) right
to establish traffic to left
. Once "established", the "OK" timer rises to 180s. So you should really consider adding a DNAT
rule from left
to right
to complete the opposite SNAT/MASQUERADE
rule.
On such Linux NAT system, you can verify what's happening using conntrack -L -p gre
, it must have an entry after GRE tunnel activity or the correct module is missing.