Hi,
IPIP can not traverse NAT because first of all it uses proto 4 (encap) and not TCP or UDP, so contrack, which manages NAT traversal does not support it. In a NAT situation, incoming connections not triggered from the inside don't get translated, since the NAT doesn't know the originator. Being a stateless point to multipoint communication, you do not have a "inside" originated connection for all connections. It is expected that NAT knows where to forward a data packet by using information from the original outgoing connection (established and related packets are sent to the internal originating ip ), which is not the case for IPIP since incoming data from another host (we have a mesh architecture) has no corresponding outgoing connection.
On the other hand, in OpenVPN, if the server is located outside, all connections are stateful and trackable by contrack, being a single IP endpoint on port 1194 originated inside, so NAT traversal is as simple as any connection originated locally.
Marius, YO2LOJ