I have an IPSec gateway server (FreeSwan) running on a public IP address, and I want to make tunnels from machines that sit behind ADSLModems (in this case, a Nokia M1122.) Thankfully, it was a bit easier to acheive than I thought it might be, and you don't have to worry about NatTraversal at all.
If you have multiple networks that have the same numbering, you can't tunnel them all together to the same server - how would the server know which was which? Along with that, if you're using a network between a firewall and a DSL modem (the 192.x examples below), it will also have to have a unique IP address.
This setup is designed to allow traffic between an internal mailserver and an external web site, for the purposes of IMAP mail. You can, however, modify it to suit. The entire internal network can still access the machine the tunnel ends on, and you also have to configure a tunnel between the external IP of the firewall at the local site, or else the firewall can't access that machine (which makes using webmail internally a bit of a problem.)
[Hosting Server? - [Hosting Firewall? <----> [M1122? - [Site Firewall? - [Local Network?
Imagine a (reasonably standard) layout: (External IP M1122 192.168.1.254) - (192.168.1.250 Firewall 10.7.1.254). The hosting server is 203.204.205.206.
telnet router
configure
vcc1
ip server-napt esp 192.168.1.250 0 0 65535 esp-ipsec ip server-napt isakmp 192.168.1.250 500 500 1 udp quit
save config startup logout
conn site-hosting
left= site-external-ip (203.x.x.x) leftsubnet= site-internal-net (10.7.1.0/24) leftnexthop= rightsubnet= hosting (203.204.205.206/32) auto= start also= site-hosting-keys
conn sitefw-hosting
left= site-external-ip (203.x.x.x) leftnexthop= leftsubnet= external-ip-of-fw (192.168.1.250/32) rightsubnet= hosting (203.204.205.206/32) auto= start also= site-hosting-keys
conn site-hosting-keys
leftrsasigkey= ... leftid= @firewall.site.co.nz right= hosting-firewall (203.204.205.1) rightnexthop= %defaultroute rightrsasigkey= ... rightid= @firewall.hosting.net.nz
This end has to be different from the other end
conn sitemail-hosting
left= %defaultroute leftsubnet= site-internal-net (10.7.1.0/24) leftnexthop= rightsubnet= hosting (203.204.205.206/32) auto= add also= site-hosting-keys
conn sitefw-hosting
left= %defaultroute leftnexthop= leftsubnet= external-ip-of-fw (192.168.x.250/32) rightsubnet= hosting (203.204.205.206/32) auto= add also= site-hosting-keys
conn site-hosting-keys
leftrsasigkey= ... leftid= @firewall.site.co.nz right= hosting-firewall (203.204.205.1) rightnexthop= %defaultroute rightrsasigkey= ... rightid= @firewall.hosting.net.nz
One page links to IPSecConfigurationNAT:
lib/main.php:944: Notice: PageInfo: Cannot find action page