On our gateway system we try to offer tunneling technologies that are easily usable on the equipment the users have available. For example, we deployed OpenVPN because it is so easy for the users to install and use. For use on routers like MikroTik, IPsec is more convenient. We offer IPsec tunnels for subnets and individual addresses, in AH and ESP mode, and the latter also over NAT-T. A number of users have such a tunnel working over NAT-T without problem. We use setkey/racoon. To connect a radio network router that uses BGP to provide it with a fallback in case the radio network is down or when it has not yet been deployed, it is more convenient to use a GRE tunnel over IPsec transport. BGP can then consider the GRE tunnel as an alternative path. This is easily configurable on a MikroTik in ESP mode, but AH is also possible. (AH mode uses less CPU because there is no encryption, only authentication) After deploying some GRE over IPsec transport connections, of course the first site appeared who has the MikroTik router behind a NAT router which cannot be removed. GRE over IPsec transport does not work over NAT. So, I researched the matter and found that there are examples of the use of GRE over IPsec tunnel mode, which in turn can operate over NAT-T (when ESP is used). Of course terribly inefficient in terms of header size, but it should work. Ok, back to the configuration drawing board and implement this on the Linux gateway. I cannot get it to work. The whole IPsec tunnel is established correctly (of course, this already worked), I can add the GRE interface and make it use the tunnel, but when GRE traffic comes in on the IPsec tunnel it does not appear on the GRE interface. Which worked fine when using IPsec transport instead of tunnel. When I ping from the gateway to a connected test router (MikroTik), I can see the pings arrive on the GRE interface there, being returned to the gateway, arrive as ESP-over-UDP, matched in the firewall, sent to an iptables entry that matches on protocol 47, I can even dump them to the log with -j LOG where they appear: Mar 5 18:23:43 gw-44-137 kernel: [17858.781986] IN=eth0 OUT= MAC=00:0c:29:cc:5a:2a:dc:38:e1:f6:2f:f0:08:00 SRC=10.0.1.43 DST=10.11.12.13 LEN=148 TOS=0x00 PREC=0x00 TTL=255 ID=81 DF PROTO=47 The corresponding GRE tunnel with these addresses is present, it works in the outgoing direction, but not incoming. My guess is that it is a problem to match the SRC and DST addresses in an IPsec tunnel packet to the remote and local addresses of a GRE interface, and it never finds its way. Probably the wrong addresses are matched, the outside rather than the inside addresses of the IPsec tunnel. Does anyone have experience with this and know what might be the problem and how it can be fixed? The Linux kernel is version 3.2.0 (Debian Wheezy) in case that matters. Rob