I've been reading about GRE over IPSEC with PAT.
I found some places saying that PAT will not allow GRE to work. What is really going on ? I did a LAB and it did work passing ssh and telnet traffic all right.
What is the true behind it ? Is there some documentation about it ?
Thank you !
I guess it is referring to the fact that GRE is IP Protocol 47 (does not have TCP/UDP port numbers) therefore would not work through standard PAT.
Same concept as IPsec requiring ESP (IP protocol 50) to pass traffic.
To overcome the IPsec problem, ESP can be further encapsulated in either UDP/TCP to be able to pass through PAT.
I know that improvements have been made to pass these protocols through PAT... can you describe your scenario?
I have 2 simple scenarios:
Router A doing the GRE over IPSEC connected to internet doing PAT
Internet in between them
Router B doing the GRE over IPSEC connected to internet doing PAT
2 - scenario
Router A doing the GRE over IPSEC connected to private network
frame - relay in between them (I dont know if they may have a device doing PAT inside the FR network)
Router B doing the GRE over IPSEC connected to private network
Previously NAT didn't support GRE because of the fact of lacking TCP/UDP ports.
Now, GRE and NAT have been improved to overcome this problems.
For example, when setting up a PPTP tunnel, PPTP uses TCP to establish the tunnel and uses GRE to passes the traffic... so what happen to a PPTP session through PAT?
Here's an explanation:
PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC 1701, RFC 1702].
Hope it helps.