One of the limitations of IPsec that we have seen so far, from an end-user point of view, is the automatic configuration of an internal IP address. This is needed for two reasons. Mostly, LANs and WANs are secured against any unauthorized access from the Internet. Generally, firewalls ensure only LAN and WAN IP addresses may access the company's internal servers. The problem is that the IP address of the remote endpoint in an IPsec connection may be some ISP-determined address that would not be known beforehand.
When the firewall is not running on the VPN server, it is impossible to know whether such a connection is an authorized IPsec connection, or a rogue host on the Internet that has managed to get into the network somehow. The easiest solution is to have the VPN server give a connecting IPsec client another IP address, one from the company's IP address pool. Now the client can use that new IP for connections within the company network, and the company...