> ipsec does not work with nat, at all.  they have very conflicting
> goals. (nat wants to look at/rewrite payload, ipsec tries to
> encrypt payload and detect the rewrite of payload)

IPSec clients behind nat can be supported though if their implementation
does not use the AH protocol (there are other caveats as well).  A fellow
has implemented in for linux
(http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html) but apparently
it's not 100%.

CU!  Mike.