The the IPSec vendor only supports ESP and not NAT-T for their IPSec - then it isn't going to work through NAT anyway.
If they do support NAT-T then udp/500 and udp/4500 need to be port forwarded. Note that these are used for client VPN, so if you do forward these ports from the WANIP of the MX client VPN will stop working.