Can the ZyWALL NAT handle IPSec packets sent by the VPN gateway behind ZyWALL?
Yes, the ZyWALL’s NAT can handle IPSec ESP Tunneling mode. We know when packets go through NAT, NAT will change the source IP address and source port for the host. To pass IPSec packets, NAT must understand the ESP packet with protocol number 50, replace the source IP address of the IPSec gateway to the router’s WAN IP address. However, NAT should not change the source port of the UDP packets which are used for key managements. Because the remote gateway checks this source port during connections, the port thus is not allowed to be changed.