The answer is yes. If you?re only dealing with firewalls and normal ICS, you can set up most vendor VPN solutions to traverse them using UDP encapsulation of IPSec. The final destination of the traffic is determined by the VPN gateway at the other end of the tunnel. To the firewall, everything is going to one place, the other VPN gateway.
With proxies, it gets a little trickier. Here you need a solution that is proxy aware and can encapsulate the IPSec into TCP, not UDP. There are only a couple of vendor solutions that do this.
This was first published in February 2003