To which I can only say that in IPv4 world and VPN, NAT is almost
mandatory. For me, using NAT allows me to set up VPN specific
routing for my special project within a corporate network without
bothering the network administrator with using FreeBSD instead of
their Cisco stuff for routing.
I am tempted to "outsource" the IPsec functionality away from the
kernel using a demon on a divert socket, just like NATD. This would
be more modular and keeps the kernel from panicing because of bugs
in IPsec -- I did have embarrassing kernel crashes, just when I bragged
about FreeBSD running