I have this exact same configuration and issues you are describing. Our Sophos UTM 9 in our datacenter thinks our MX's are NAT-T when they are not. We experience the same unstable S2S IPSEC VPN issues you describe. We have no problems with our remote sites on Cradlepoint, Just the Meraki sites. I'm wondering if there is a way to turn off NAT-T on the Sophos and manually NAT through the MG21. I have not found a solution yet. Please update the post if you do.
... View more