I'm trying to get a VPN tunnel going between a BEFSX41 and an RV042. At the office end the RV042 is connected to a DSL modem and the RV is doing the PPPoE and gets the real IP. At home the BEFSX41 is behind an AG241 (will be a WAG54Gv2 in production). The AG241 is doing the PPPoE and gets the real IP, IPSec VPN passthru is enabled and UTP 500 is forwarded to the BEF's IP address. The idea is that devices plugged into the BEF will get access to the VPN tunnel to the office, but devices plugged into the AG241/WAG54G will not be able to us the tunnel. I want there to be absolutely no situation where a wireless client could compromise the router and gain access to the tunnel. The problem is that the tunnel isn't surviving being NAT'd by the AG241. I can get a stable tunnel from the AG241 to the RV, which doesn't go thru NAT, but I can't get the BEF to talk to the RV. The logs on the RV show the request as coming from the BEF's WAN IP, which is a 192.168 IP given to it by the DHCP server on the AG241. I understand this is exactly the sort of situation NAT-T support was added to IPSec for, but I'm a little unclear on how it works. Do both the RV and the BEF need NAT-T support, or just the AG241 since it's the one doing the NAT? Assuming it's the BEF that's lacking and none of the beta firmware's I've tried add NAT-T support, is there anything else down the cheap end of the price range that will support NAT-T? I'm trying to find a cheaper alternative to another Cisco VPN3005 and a bunch of VPN3002 hardware clients at about US$500 each.