Why do you have a tun0 interface on the NAT box? That's a virtual tunnel interface, not a physical interface. I thought the client (!= the NAT box) is the VPN endpoint. Not all encapsulation is done there, the NAT box is somehow involved in this? Daniel