> Regarding NAT/IPsec in general there are several "challenges" with that. 
> They relate to manipulation of header data structures (i.e. by NAT) and 
> calculation of "crypto checksums" (by IPsec). Cisco published a pretty good 
> article on NAT covering NAT/IPsec as well. Have a look at 
> http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html for more detail.
> 
> As a rule of thumb NAT should occur before the box performs IPsec 
> encapsulation.

In NetBSD ipf only looks to native wire packets.
On inbound traffic a packet first needs to pass though ipf and then
the ipsec process follows. You still need to pass ipsec traffic though.
Ie protocol 50 for esp and 51 for ah (rfc 1700 for a list of protocol
numbers). Its very nice, this way you can use the machine as nat
gateway but you can also use ipsec tunnel mode without nat touching
the packets. It worked for me (netbsd 1.5 release branch).
Bye,

Mipam.