danb wrote: One further note, the VPN selectors must be configured to select the traffic as viewed from the peer. I tried configuring my VPN selector ACL using the inside address of my LAN and it failed.
Yes, so it should! I think I got it now!
The mechanism suggested by noor is different to the vanilla VPN that I had in mind, where policy-class stateless connections manage the traffic through the Netvanta. In your implementation, using your LAN address fails because both Netvanta and Sonicwall have the same LANs. The NAT mechanism will change the source packet headers from say 192.168.100.5 to the NAT'ed address facing the peer. Hence, no clash between the two LANs.