Okay, clear it is.
But then, one question about the example placed here:

http://www.netbsd.org/Documentation/network/ipsec/#sample_vpn

Traffic from 20.0.0.1 to 20.0.0.2 and vice versa is being encrypted this
way. Internally they use the 10 address space and no natting is done
here. But are these machines from the internal network supposed to reach
the internet and receive traffic back (not using ipsec) cause in that
case natting needs to be done for the internal addresses.
Or is natting only done in case traffic is destined/comming from addresses
other then 20.0.0.1(2)?
Or was this example just for a leased line between those networks?
Bye,

Mipam.