Windows XP and Vista both include a L2TP IPSEC capable VPN client. These clients are natively able to transverse client side Network Address Translation. However when the VPN server is also behind NAT these clients will not work without a registry change.
Run the regedit command to open the registry editor. Backup your registry using the Export option.
When using Vista, add the DWORD AssumeUDPEncapsulationContextOnSendRule to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent Set this DWORD to a value of 2 to allow both client side and server side transversal.
When using XP, add the DWORD AssumeUDPEncapsulationContextOnSendRule to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec Set this DWORD to a value of 2 to allow both client side and server side transversal.
For more information, see http://support.microsoft.com/kb/926179