IPSEC and RRAS

I am trying to establish an IPSec tunnel from a router at a remote location
to Windows Server 2003. The server has two network cards (internal and
external) and is using Remote Routing and Access Service (RRAS). The external
NIC is attached directly to the Internet via DSL with a static IP. The
internal NIC is attached to a LAN with clients (mostly XP) that access the
Internet via RRAS which has NAT enabled on the external card. There are also
vpn clients that connect via PPTP.

I followed the directions in the MS Technet article 816514 which depicts
exactly what I am trying to accomplish:
http://support.microsoft.com/kb/816514

I was able to get the tunnel configured and the router was showing that the
tunnel was up. I could also ping from the router's internal network (NetB) to
the internal IP address of the server but I couldn't ping any internal
clients on the server's internal network (NetA) the ping would time out. Nor
could I ping from the server's internal network (NetA) to the router's
internal network (NetB)--I would get a response from the ISP's default
gateway saying there was no route available to the address. So after pulling
my hair out for 2 days, I discovered that the issue was NATing was enabled on
the internal server network (NetA). As soon as I disabled NAT from RRAS, I
was able to ping from a client on NetA to any client on NetB and map drives,
and Remote Desktop, etc. Although I still couldn't ping directly from the
server to NetB. It was still trying to go out to the ISP default gateway but
that is not a big deal as long as the clients could connect.

So my question is how can I turn NAT back on and still be able to use the
IPSec Tunnel? Right now it's either NAT or IPSec tunnel. Is there a way to
exclude just the tunnel traffic from NAT?



Greg W