Dear all Please excuse my ignorance, but I've been struggling for about 2 months now with configuring GRE over IPSEC using a Loopback interface as the source of the tunnel. I wish to tunnel all internal traffic (including communication generated by the routers) over the internet between our HQ and a remote office. I wish to encrypt all communication that passes over the public network, and hide all internal IP addresses. Our remote LAN uses the 10.20.80.0/24 subnet, and the HQ (being the "hub" where all networks join) can route to all other 10.0.0.0/8 networks. We also have multiple available public IP addresses on both sides. The following configuration closely matches what I am trying to achieve... [URL]http://www.cisco.com/warp/public/707/ipsec_gre.shtml[/URL] ....except that, it's not clear to me which interfaces would need public IPs in our scenario. I think the ethernet interfaces (10.64.10.0/27) are equivalent to our Internet interfaces. However, would the 192.168.1.1 & 192.168.2.1 and 10.1.1.1 & 10.1.1.2 IP addresses need to be public or private? Also, if I wished to use static routes initially, what would be the best way (in terms of next hop or outgoing interface) to point the HQ router (router "Light") to networks 10.1.1.2/32, 192.168.2.1/32 and 172.16.2.1/24? I'd be indebted to you (almost) forever if you can assist! ;-) Thank you kindly! Paul