Something vaguely like this topic came up a little while ago. It seems like an excellent approach to enable deployment of ipsec. Craig Metz mentioned something about wanting to write up an IP-over-UDP tunnel internet draft a couple months ago; he said he'd been using it off-and-on for a while to deal with NAT's and brain-damaged firewalls. - Bill