Many organizations deploy a VPN to allow remote users access to the organizations internal network. Most commonly,
IPSec is used, which famously has problems with Network Address Translation. This is a substantial problem, as a substantial number of these remote users are now on broadband connections, using SOHO NAT devices, like the cable modem routers by Linksys, SMC and others.
Fortunately, during the past year, most of these manufacturers have released code that supports a feature called "IPSec pass-through" which, as you might have guessed, manages not to mangle the IPSec tunnel as it passes through NAT (actually, usually Port Address Translation, which is really the problem, as GRE and ESP use Protocols 47 and 50 respectively, which don't use ports like TCP and UDP. This understandably greatly confuses Port Address Translation.)
Another feature widely available now is called "transparent tunneling" which is typically configured on the VPN client and concentrator. This feature takes all of the GRE tunnel, and possibly your IKE exchanges on UDP 500, and tunnels them through a TCP or UDP port of your choice. Turning this on is generally a good idea, if it isn't on by default. But the question now is should you use UDP or TCP to tunnel your tunnels?
The answer to that depends on another firewall - the one at your head-end. Does it allow UDP? UDP is of course stateless and some stateful firewalls block this traffic because they can't keep track of the connections. UDP is somewhat faster, but it is also less secure, because packets can be easily spoofed. These spoofed packets can't do much damage, as your data is still tunneled inside the encrypted IPSec tunnel, but theoretically less safe. Generally, if you watch your network closely with firewalls, intrusion detection and so on, the connection-oriented TCP will be a better choice.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.