Quoting natecars at real-time.com (natecars at real-time.com):
> Depends what you want. Do you want the NAT'd machine to be able to make
> the IPSec connection out? If so, you'll need NAT Traversal patches on the
> other end -- available through the X.509 patch version 0.9.12, or via a
> separate patch. If you want to make the connection from the firewall, then
> it's easy -- nothing special required.

Irk, should have known you would answer this question.
-- 
Bob Tanner <tanner at real-time.com>         | Phone : (952)943-8700
http://www.mn-linux.org, Minnesota, Linux | Fax   : (952)943-8500
http://www.tcwug.org, Minnesota, Wireless | Coding isn't a crime. 
Fingerprint: 02E0 2734 A1A1 DBA1 0E15  623D 0036 7327 93D9 7DA3