> dealing with layer 3 so you cant use normal port forwarding for the tunnel > traffic. The key exchange is less problematic. It was a bit of a head ache, > and if you can avoid the NAT you will be far better off. If i can avoid NAT i would use available FreeBSD IPSEC tunnel guides :)