A question of your router/firewall not a question of your Mac Server. You need to forward incoming ip/esp protocol (number 50) traffic to your MacServer if you want to use IPSec for your VPN. Mostly this is not possible with home and small business router boxes. Sometimes they have an option called "Exposed Host" or "DMZ Host" which means all of the incoming trafic, which does not fit to the NAT table, is sent to this host inside. An option which will work for your IPSec ESP protocol as well, but be careful! With this option you will really expose your host. You need to have a firewall in place to limit the access to services you like to use.