Yes the separate clusters each have separate NAT/firewalls protecting them.

Again, I am not going to be able to convince the people donating that bandwidth to set our internal ip on their network as a DMZ host.

I plan to write about it, if I ever figure out how to punch a two way tunnel from me (a place where I have control over such things)  to these places.

What I envision is from the rest of the amprnet, 44.92.21.0/24 comes here via an IPIP tunnel; and various smaller chunks /29 or /28 go back out from here via some other capable tunnel to these remote sites till we convince folks we need to get something up on a decent tower.

It doesn't need to be encrypted or authenticated, whatever is easiest and will do the job.



--Quote--
I'm unclear on the topology of your network; I'm going to assume that
the separate clusters each have a separate NAT/firewall protecting them.

In that case, I believe you may get the IPIP traffic to pass through the
NAT/firewall to the internal host by designating the internal host as a
DMZ host.  You would then register the NAT/firewall's public IP address
as the gateway host.

I'd wager it depends on the software in the NAT/firewall so some may do it
and others may not.  I heard that OpenWRT does handle IPIP encapsulation.

I've not tried that myself so others who have done so should comment on
whether this approach actually works.

I'd much appreciate you writing up what you wind up doing and publish 
it on the wiki so others may share your experience.
	- Brian