NAT works great over IPSEC with the patches mentioned in previous replies. However, the patches only apply (AFAIK) to 2.6.10 or below. See my RH bugzilla entry and make some noise: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374 I've been using NAT over IPSEC with those patches with 2.6.10 for ages now and it works great, mostly. I sure wish a solution would be found to get this functionality in the mainstream netfilter/kernel code! Everyone who needs this should CC themselves to that bugzilla so we can get enough voices behind the effort.
