# Tunnel with gre/gif behind NAT



## Riccardo_Ricci (Jan 30, 2018)

I have configured tunnel with gif interface (switchable with gre without sensible problems) but... now I have to configure another tunnel, the difference from others is that the new server is behind a NAT...


```
eth0
    inet 192.168.1.102 netmask 0xffffff0 broadcast 192.168.1.255
```

The public IP address is variable (now is 151.x.x.x). Can I set the tunnel without a fixed endpoint?


----------



## Crest (Jan 31, 2018)

Running unencrypted tunnels through the internet is not the best of ideas even with static endpoint addresses. One way to fix both problems at once would be to use strongSwan to encrypt the GRE tunnel in transport mode with NAT-T and a updown script to sync the tunnel configurations. Just make sure to filter outgoing unencrypted GRE traffic to prevent leaking plaintext if the IPsec SA is down.


----------

