I have a customer that is trying to allow a vendor through their MX100 using 1:1 NAT.
They have some time and attendance software, Executime (https://www.tylertech.com/products/executime), that according to their IT Vendor, can only use ESP as their IPsec protocol. The Meraki MX only supports NAT-T. Do you have any ideas? Do any of you use Executime?
The the IPSec vendor only supports ESP and not NAT-T for their IPSec - then it isn't going to work through NAT anyway.
If they do support NAT-T then udp/500 and udp/4500 need to be port forwarded. Note that these are used for client VPN, so if you do forward these ports from the WANIP of the MX client VPN will stop working.