Firewall making the use of Adaptive AP + VPN (IPSec) very limited per site?


I guess it is possible to have multiple Adaptive AP7131 on a site that is using IPSec back to the centralized RFS switch normally?

The partner claims if you have a firewall on every remote site and using the Adaptive AP7131 to tunnel back to a RFS there is limitation on IPSec protocol when going through firewall it only allows one IP on every site. This would mean RFS can only manage one AAP on every site.
Partner mention something about firewall setup with NAT/PAT problem... and the nature of IPSec protocol standard using GRE... etc..

I'm not sure if he is right on this statement.

Is this true?

End of the day they need encrypted management of AAP from RFS which is only possible using VPN/IPSec solution, asfaik.

Is there a better solution than doing this?