if only one vpn-endpoint is in a NATted Network, then its easy, as long as the implementation of the NAT allows correct mangling of ESP. But the vpn has to be initiated by the NATted host.
outgoing vpn (pptp and ipsec) worked right out of the box (vpn initiator is NATed), but incoming doesn't work because of the ESP and GRE protocols. funny thing is, technically it is definitely possible, because the outgoing vpn (to my vpn test server, which is also a win2k server) goes to a NATed server, which sits behind a netgear router/firewall/switch combo thingy (normal cable modem at my home), i.e. both vpn enpoints are NATed.
I choosed:
kernel 2.4.18 from ftp.kernel.org freeswan 1.97 from ftp.xs4all.nl
my incoming vpn server is a win2k vpn server (if i could use FreeS/WAN, i would install it directly on the firewall), which sports PPTP and IPSEC as well as a radius server for logging purposes. in between i have the said suse 8.0 firewall which refuses to forward *incoming* GRE (or ESP) to my masqueraded vpn server. i fiddled around with the fw rules but to no avail, tcpdump shows the GRE packets on the external interface, nothing on the internal. thanks very much for your numerous answers, alex