Distinct? Please elaborate. If I have a DSL connection from an ISP with a dynamic IP address and an internal LAN with five PC's connected, is it possible for each of those PC's to establish an IPSEC tunnel to a VPN 3000 Concentrator concurrently? Don't the concentrator treat each peer IPSEC tunnel as unique connections?

Yes this is possible. The Hub concentrator should have a static IP address which will be configured as the peer in the spoke or the client. The Hub will need to have dynamic IPsec permitting connections from any peer using the correct pre-shred key/pki certificate and each peer will have a distinct SA created when they connect.

Hello,

This is one of the reason NAT Traversal concept was invented.

In Nat Traversal the ipsec packets (ESP) is encapsulated in UDP/4500 (destination port, source port could be anything). If the FW/proxy is not configured to inspect what is inside that packet, it will treat the packet as normal UDP packet and will be able to create the translations, PAT in your case.

Turn on NAT-Traversal in the concentrator (I forgot underwhich option you will find this). In case your orgnization does not want to open another UDP port you can also use TCP.

Vikas