1.the network topology is as follow, HW firewall is a NAT device between IPSec vpn client and srver:
2.From the capture file, IPSec ESP packets were not sent to other side because the packets didn’t carry NAT-T option. This shows that VPN client and server don’t enable IPSec NAT traversal function.
The packet doesn’t carry NAT-T option:
3. According to the RFC3947, when there is a NAT device between IPSec VPN ends, both client and server must support and enable IPSec NAT traversal,
After that, ESP packets will be encapsulated by UDP (4500 ports) and NAT by firewall correctly. Otherwise, ESP packets cannot be NAT directly.