Before we enable NAT traversal, let us remind you of a few common problems with NAT traversal that cannot be prevented.
The most important issue is that if you are adding NAT traversal to a VPN connection for an office network that is on a private IP space, you cannot support remote clients on that same private IP space. So if you use 10.0.1.0/24 at the office, and your roadwarrior is behind ADSL on 10.0.1.2, the IPsec tunnel will fail. An IP address cannot be at both endpoints at once.
Note
IP ranges that are used as a subnet must be excluded from NAT-Traversal usage. It is very important to pick good and small ranges for both ends. For instance, 192.168.0.0/16 is often used by ADSL modems. 10.0.0.0/8 is also frequently used. These would be poor choices for a company network IP range. Much better choices would be 10.145.1.0/24 or something similarly random. If there is an IP conflict, it is possible to do some NAT on them (outside the VPN tunnel, not inside!) but it might turn...