Public-to-Public IPSec tunnel: NAT confusion

I know this is possible -- and apparently fairly common with larger companies that don't/can't route private addresses for overlap reasons -- but I can't wrap my head around how to get this to work. I'm playing around with pfSense, Vyatta and a Cisco 5505 right now, hardware-wise.

So here's my setup:

WEST: Vyatta

• outside: 10.0.0.254/24
• inside: 172.16.0.1/24
• machine a: 172.16.0.200/24

EAST: Cisco 5505

• outside: 10.0.0.210/24
• inside: 192.168.10.1
• machine b (webserver): 192.168.10.2

So what we're trying to do is this: route traffic across the tunnel from machine A to machine B without using private addresses. i.e. 172.16.0.200 makes a TCP request to 10.0.0.210:80, and as far as EAST is concerned, it sees a src IP of 10.0.0.254.

On WEST, I have your typical many-to-one Source NAT to translate 172.16.0.0/24 to 10.0.0.254 and that's confirmed to be working.

Also on WEST, I have the following IPSec config:

• Local IP: 10.0.0.254
• Peer IP: 10.0.0.210
• local subnet: 10.0.0.254/32
• remote subnet: 10.0.0.210/32

I have the reversed configuration on EAST. What happens when I make a request from machine A to 10.0.0.210:80 is that the SNAT translates the private address of machine A to 10.0.0.254 and it's routed out (and discarded at the other end) without establishing the tunnel. What I'm assuming is happening is that the inside interface on WEST receives a packet from 172.16.0.200 and since this doesn't match the local subnet defined in the tunnel configuration, it's not processed by the IPSec engine and the tunnel is not established.

How do you make this work? Seems like a chicken and egg thing with the NAT and IPSec and I just can't wrap my head around how this can be done: can I say, "if a packet is received on the inside interface with a destination of 10.0.0.210, translate it to 10.0.0.254 before the IPSec engine inspects it"?