This age old chestnut :)

	Assuming the traditional two private networks connected by the
	Internet:

	[internal]------[ IPNAT  ]--<Internet>--[ IPNAT  ]------[internal]
	[ hostsA ]      [gatewayA]              [gatewayB]      [ hostsB ]

	I want to secure traffic between the two networks. I'm quite happy
	for incoming connections to terminate at IPNAT box (so internal
	hostsA can connect to gatewayB but not directly to hostsB, and
	simplarly for hostsB and gatewayA).

	If incoming IPsec was processed before IPNAT, and outgoing IPNAT
	before IPsec then it should be feasible, or (as is likely) am I
	missing something?


-- 
		David/absolute          -- www.netbsd.org: No hype required --