Howdy NetBSD people,

My home box serves a number of functions for me (IMAP, SMTP, file
service, etc.), and I'd like to be able to reach these services from
my laptop while I'm on the road.  Configuring firewall holes, access
controls and encryption for each service individually looks to be an
unscalable mess, and so I think I'd like to try encrypting all traffic
between my laptop and my home box's public IP address with IPsec while
I'm away from home.  I think I understand the basics of how IPsec is
to be set up (at least I think I understand the contents of the NetBSD
IPsec FAQ).  My problem is that normally my laptop is behind a NAT
layer that I have no control over while I'm away from home, and so I
believe I need to use some kind of IP-over-IP tunnelling between the
laptop and the home box.  So my questions are these:

(1) Can typical NAT devices pass the encapsulating packets through?

(2) If so, how does one set up a tunnel between a box on some private
    address space (e.g., 192.168.x.x), through the NAT device to some
    address in the public IP space, without touching the NAT box's
    routing?  I can't tell the differences, for example, between gif
    and gre, but I also can't figure out how to set up a tunnel
    through a NAT device with either of them.

(3) If I'm wrong about needing some kind of IP-over-IP tunnelling, is
    there some way to use IPsec through NAT with ipv4?

Thank you,
Richard Kreuter