Yes, but you cannot masquerade IPSec tunnels (don't mix that). If the tunnel starts on the machine which do masquerading you usally want that tunneled connections not to be masqueraded - so adapt the masqurading rules. Please note, that you must not masquerade IPSec traffic (proto 50/51).
Actually you can masquerade if you don't use AH (Authenticaiton Headers), some Crisco routers/etc have other features now that allow you do have NAT and IPSec.
I guess it would, but IPSec is somewhat more platt-form independed and my choice. With SuSE 7.0/7.1 it's easy to set up IPSec, just install freeswan.rpm (well, I'm not sure if that RPM is avialable for recent kernel updates, so you may get a problem here, check FTP server), edit ipsec.conf according to the documentation and run it :)
In theory if people adhere to the IPSec standards it's good, but many are adding weird extensions =(.
oki,
Steffen
-Kurt