The following figure depicts the configuration in which a host is communicating with a hidden system through a tunnel address to an encrypting gateway. The hidden system also uses a tunnel address from the encrypting gateway to the host.
In tunneling, the host sends packets to the gateway. The packets are encrypted such that the gateway decrypts them and sends them to their final destination in the clear.
When setting up tunneling, you must add the address for the gateway into the host's ACL because there is no way that the host can discover the gateway's certificate.