Microsoft Knowledge Base Article 885348 contains the following intoduction:
We do not recommend Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind network address translators. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended side effects may occur because of the way that network address translators translate network traffic.
Additionally, the default behavior of Microsoft Windows XP has changed with Service Pack 2 (SP2). Windows XP SP2 does not support IPSec NAT-T security associations to servers that are located behind network address translators. This change means that a Microsoft Windows Server 2003-based virtual private network (VPN) server that uses Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) cannot be deployed behind a network address translator without additional configuration for Windows XP SP2-based VPN clients.
If you require IPSec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet. Windows-based client computers that support IPSec NAT-T can be located behind a network address translator.