Some VPN protocols aren't NAT 'aware'. 2 ways to solve it, use a protocol thats NAT 'aware' or let the router/firewall modify the packet. These settings allow the router to modify the VPN IP inside a packet. So it NATs the original packet (as normal NAT does) and it NATs the VPN packet inside it.