You can take a packet capture of traffic from your macosx client, and by reviewing the timestamps you can check and validate the keepalive intervals for NAT-T.
In this example, my vpn-concentrator is located at 192.0.2.1 & the macosx client KAs are at a 20sec interval.
The KAs will ensure the firewall doesn't close the UDP sessions from the connections and/or nat-transaction tables.
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
=( * * )=