Configuring and working with OpenSwan has worked well for me. Recently, I have been tasked to NAT an Amazon EC2 internal IP before passing its traffic across an IPsec tunnel. With NAT actually being handled outside of the instance, is this even possible? If so, how?