IPNAT with IPSEC

Hi,

I have set up an IPSEC connection from our company (A) to another (B) by
connecting from (A)'s FreeBSD 4.8-STABLE firewall running IPFILTER &
IPNAT to (B)'s Watchguard Firebox SOHO6. All works well when connecting
one subnet at (A) to the subnet at (B).

But the (A) network is quite extensive, comprising many private subnets.
To expect our IPSEC connected companies eg (B) to maintain a list of our
subnets so that the IPSEC policies work is not practical. So I figured
that companies like (B) should just see us as one subnet - and we would
NAT on our firewall. Was that an OK idea? Seemed easy enough at the
time...

OK - the set up is this....

Private IP | (A) | | | | (B) | | Private
IP
subnets at----| FIREWALL |-----| INTERNET |-----| FIREWALL |---| subnet
at
company (A) | | | | | | | company
(B)

Firewall (B) is expecting all IPSEC traffic to be coming from the public
IP address on Firewall (A), as tunnelled private IP subnet
10.99.99.0/30.

I am trying to NAT all the internal subnets at (A) to 10.99.99.1. But
it does not seem to work whichever way I try.

Questions:

1. On which interface should I alias the 10.99.99.1 IP on Firewall (A).
Choices seem to be internal (fxp2), external (fxp1), loopback (lo0) or
some gif0 combination. Any other suggestions?

2. Having completed step 1, what should my NAT rule(s) look like?
Given that they should be policy based (I think), eg. If connecting to
(B) use this NAT rule.

Looking forward to *any* pointers!

Regards,
Carl.

PS. Apologies if this ended up being a double post.