We have allowed ESP, AH, udp 500 and 4500 through our external firewall to the VPN Concentrator. To support multiple vpn clients behind a NAT/PAT device requires NAT-T to be enabled. it is enabled on the VPN clients and concentrator.
The first client connects on udp 500 and changes to udp 4500 (source and dest). The second client connects on 500 and then tries 48068,4500 (I presume the ADSL modem has PATted 4500 to 48068). Using TCPDUMP I see a response from the concentrator but it doesn't make it back to the client. I think the firewall has dropped it because it doesn't recognise that response as part of a session. We have a rule to allow udp 500 and 4500 out (4500 as the destination port, in this case it is the source with a random port as the destination).
We are upgrading to NG next week will this resolve the problem (i.e. support NAT-T)?