Firewall/NAT

I have a case where I need to establish an IPSec tunnel to a site who's network overlaps with our. We only need to see a couple of hosts on the other end of the tunnel but the owner of the other end will not allow us to establish the tunnel with any overlaps in place.

I've currently solved the problem by creating a little mini-network in front of m0n0wall that works like so:

+---------------+
| Internal LAN  |
| 172.24.0.0/24 |
+--------------+
       |
  172.24.0.10
       |
 +--------------+
 | Router/Proxy |
 +--------------+
       |
  196.168.0.1
       |
 +----------------+
 | m0n0wall/ipsec |
 +----------------+
       |
  (WAN Address)
       |
      \ /
  VPN to customer


So, to the other end of the tunnel, the remote gateway is the WAN address on m0n0wall and the remote network is 192.168.0.1/32.   Locally, within our network, we will assign the little router multiple LAN-side IP addresses, each set to SNAT the traffic to 192.168.0.1 and to DNAT the traffic to the IP address within the customer site that we want to see then forward it on to m0n0wall for tunneling.

(Important note: we don't need or want the other end of the tunnel to be able to route to specific hosts in our environment other than the setup above)

So far this works well for us, but we have to repeat this setup for each customer which is a real pain. It seems to be that it *should* be possible to do this completely within m0n0wall using a virtual IP addresses and NAT, but I'm having trouble figuring out how to get IPsec traffic to NAT.

Long story short: is this setup feasible? I know I could do it using a raw BSD or Linux machine but I really want the web UI (and small footprint) of m0n0wall so that others can help manage the environment.

Thanks,
-scott

Long story short: is this setup feasible?

Not currently, no. It's something a lot of people would like to see, if you can find a clean way to make it work and provide patches I'm sure it would likely be implemented.