The only SPI that needs to be mapped to an internal IP address is the incoming SPI selected by the IPsec client, because the NAPT device needs to know where to send inbound traffic. Outbound traffic is passed without a problem, because the IPsec client's IP address will be changed by the NAPT device.
There are some caveats, however. First, this scenario will work only when the IPsec client behind the NAPT device is initiating the IPsec VPN. If the IPsec gateway tries to initiate the connection, the NAPT device will block the negotiation, because it won't know where to send the UDP packets; it won't have a NAPT mapping. For the same reason, you cannot host a Web server behind a NAPT device without using port redirection, where all packets bound to a specific inbound port are by default sent to an internal IP address. Port redirection works only when preconfigured.
Second, for this to work, you will have to configure your IPsec gateway to negotiate IKE with the NAPT gateway at minimum or any IP address. ESP uses the SPI, destination IP address and protocol number to look up what SA an IPsec packet belongs to. Because the IPsec gateway knows the IPsec client only by the NAPT address, that is the address that will be used.
Finally, much of IKE authentication is still handled with a preshared secret, or password, which is associated with an IP address. Therefore, you have to tell the IPsec gateway to negotiate with the NAPT IP address. Because remote users often connect via dynamic IP addresses allocated from their ISPs, nearly all IPsec gateways can associate a shared secret with an address range.
