I'm lost...
I tries that config yesterday but the ipsec tunnel still doesn't establish.
In your config, you specify the private IP addresses. How is the tunnel supposed to establish since these private IP's are not routable over the public WAN?
One more time. The SA consists of transport packets one IPsec peer sends to the other one. These transport packets contain encrypted versions of payload packets plus some additional information. So the
sa-src-address is the same like the own address that the local router uses to send IKE traffic to the remote peer (in your example, 2.2.2.2), and the
sa-dst-address is the same like the address of the remote peer (in your example, 1.1.1.1). These two addresses are
not manually configured for the policy - they are dynamically inherited from the active-peer properties, because the address of the remote peer may be specified as an fqdn and resolved to an IP number, and because the local address is chosen depending on the route to that remote IP number - some systems use multiple WANs.
Since you've decided to use tunnel mode of the policy, you had to specify the
src-address and
dst-address separately. It was your
choice to configure the GRE tunnel to use the public addresses of both routers as
local-address and
remote-address, hence the
src-address (matching the GRE's
local-address) is the same like the
sa-src-address and the
dst-address (matching GRE's
remote-address) is the same like the
sa-dst-address, but it is only so because you have chosen GRE's
local-address and
remote-address this way. You had this option because both 1.1.1.1 and 2.2.2.2 in your example are public and static.
In the 4G case, you do not have this option, because the own WAN address of the 4G router is not public, and the public NAT address from behind which it talks to the HQ router is not static, or at least it is not known in advance, before the 4G router connects from that address.
So you have to let the HQ peer accept connections from anywhere, you have to make use of the fact that
sa-dst-address is assigned dynamically, and as the GRE's
remote-address and policy's
dst-address you have to specify something else than the public IP from behind which the 4G router connects, because the 4G router itself does not know that public IP, so it cannot be set as the
src-address of the policy on the 4G router.
If the CGNAT WAN address of the 4G router is static (which is however not common), you can use it for GRE's
remote-address and policy's
dst-address (from the point of view the HQ side); if it is not, you have to use some other own address of the 4G router, which is static. In both cases, the address you choose must not be in conflict with any address used at the HQ side.
So in my example, I've used private addresses for both GRE endpoints and the corresponding traffic selector of the policy, because in a generic case, even the WAN address of the HQ router may not be static.