If you need an IPSEC concentrator to be separate from a firewall usually you need at least two public IPs to avoid NAT-T. Here's a way to do it with just one public IP:
MACspoofingToRunMultipleDevicesOnOneIP.png
You do not have the required permissions to view the files attached to this post.