Thanks, but I have only one router so I'm not sure how the IOS-to-IOS part applies. I know that the router can work as a VPN server if it's also the network gateway but how do I configure it using just one network interface when it's a LAN host on that already uses a different firewall/gateway solution.

VPNRouter----NAT_device---Internet-----Partner_X

1) configure an ip address on your VPN router,

let say 192.168.1.2/24. Configure default gateway

on this router to 192.168.1.1 which is your NAT

device (Pix, checkpoint, Linux, whatever),

2) On the NAT device create a static NAT for

the VPN router:

Pix: static (i,o) 1.1.1.2 192.168.1.2 net /32

IOS: ip nat inside source static 192.168.1.2 1.1.1.2

or

ip nat inside source static udp 500 192.168.1.2 int f0/0 500

ip nat inside source static esp 192.168.1.2 int f0/0

3) allow isakmp and ESP or udp/4500 on your external ACL:

access-list vpn permit udp any host 1.1.1.2 eq 500

access-list vpn permit udp nay host 1.1.1.2 eq 4500

access-list vpn permit esp any host 1.1.1.2

4) apply ACL to external interface of external device:

ip access-group vpn in

5) on the vpn device, configure your VPN device for IPSec,

6) configure static route on the NAT_device so that

when it see IPSec interesting traffic, send it to the

VPNRouter.

What you're trying to do is often referring

to as one-arm vpn routing

That's it. Very easy.