Does anyone use SSH tunnels to send data back to the central server?
Are there any pitfalls?

I've tried but you can't since ndo2db use a listen port and open some other ports to monitor multiple ndomod.
So my solution is to use the ndo ssl patch that i've found on the net.
You compile the ndo with it and you're done. No need to set a special config file.
My centreon works perfectly with it.

The patch. Just be in the ndoutils.1.4b7 source and make a patch -p1 < ../ndo14b7_ssl_patch_v2.patch.txt (http://forum.centreon.com/attachment.php?attachmentid=920&stc=1&d=1238417410) then make all.

CF: http://forum.centreon.com/showthread.php?t=6984&highlight=ndo2db

When I look at the tcpdump result, I can see 2 things:
central -> remote tcp/22 (ssh)
remote -> central tcp/5668 (ndoutils)

Is this all? Machines are sitting in different networks with firewall(s) in between. The remote poller is not a trusted host, so I can only open 1 or 2 ports.

Yes that all. Remote report by ndomod->ndo2db with 5668, and Central put configuration with SCP and relaunch Nagios with SSH, so all 22.