We are in the process of trying to forward GRE and we decided we needed a kernel patch to make it work. The GRE packets apparently have a checksum inside that includes the original destination ip address and if you forward without changing this you just get checksum errors at the destination.
This is the information we found that includes a link to the patch: http://www.impsec.org/linux/masquerade/ip_masq_vpn.html That said, we haven't tried the patch yet so maybe there is a way to make it work without. HTH Andrew
