L2TP over IPSec connection fails with double NAT setup

Question

We're trying to setup VPN access for workers working from home using L2TP over IPSec. Testing from the LAN all goes well, but when trying to connect from outside of the LAN, we get this error: 
 2016:06:28-10:36:47 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: cannot respond to IPsec SA request because no connection is known for STA.TIC.OFF.ICE/32===192.168.2.10:4500[192.168.2.10]:17/1701...STA.TIC.HO.ME:4500[192.168.1.132]:17/%any==={192.168.1.132/32} 2016:06:28-10:36:47 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to STA.TIC.HO.ME:4500 2016:06:28-10:36:47 motif pluto[18344]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION 
 The Sophos is behind a Ziggo router that provides internet access. Unfortunately we cannot switch that router into "bridge mode" - so we're stuck with a double NAT situation. The router does provide for assigning a DMZ host, so we've made the Sophos that. 
 Is there anything we can configure in UTM 9 to overcome this issue? Any help would be greatly appreciated. 
 Cheers, 
 Edwin 
 
 Please find the first part of the full IPSec log of a connection attempt (IPs anonymised using STA.TIC.HO.ME and STA.TIC.OFF.ICE) below: 
 2016:06:28-10:36:46 motif pluto[18344]: | 2016:06:28-10:36:46 motif pluto[18344]: | *received 788 bytes from STA.TIC.HO.ME:500 on eth2 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: received Vendor ID payload [RFC 3947] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: ignoring Vendor ID payload [FRAGMENTATION 80000000] 2016:06:28-10:36:46 motif pluto[18344]: packet from STA.TIC.HO.ME:500: received Vendor ID payload [Dead Peer Detection] 2016:06:28-10:36:46 motif pluto[18344]: | preparse_isakmp_policy: peer requests PSK authentication 2016:06:28-10:36:46 motif pluto[18344]: | instantiated "L_for Remote Users" for STA.TIC.HO.ME 2016:06:28-10:36:46 motif pluto[18344]: | creating state object #4 at 0x8356e90 2016:06:28-10:36:46 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:46 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:46 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:46 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:46 motif pluto[18344]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #4 2016:06:28-10:36:46 motif pluto[18344]: "L_for Remote Users"[7] STA.TIC.HO.ME #4: responding to Main Mode from unknown peer STA.TIC.HO.ME 2016:06:28-10:36:46 motif pluto[18344]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4 2016:06:28-10:36:46 motif pluto[18344]: | next event EVENT_RETRANSMIT in 10 seconds for #4 2016:06:28-10:36:46 motif pluto[18344]: | 2016:06:28-10:36:46 motif pluto[18344]: | *received 380 bytes from STA.TIC.HO.ME:500 on eth2 2016:06:28-10:36:46 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:46 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:46 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:46 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:46 motif pluto[18344]: | state object #4 found, in STATE_MAIN_R1 2016:06:28-10:36:46 motif pluto[18344]: "L_for Remote Users"[7] STA.TIC.HO.ME #4: NAT-Traversal: Result using RFC 3947: both are NATed 2016:06:28-10:36:46 motif pluto[18344]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 60 seconds 2016:06:28-10:36:46 motif pluto[18344]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4 2016:06:28-10:36:46 motif pluto[18344]: | next event EVENT_RETRANSMIT in 10 seconds for #4 2016:06:28-10:36:46 motif pluto[18344]: | 2016:06:28-10:36:46 motif pluto[18344]: | *received 108 bytes from STA.TIC.HO.ME:4500 on eth2 2016:06:28-10:36:46 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:46 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:46 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:46 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:46 motif pluto[18344]: | state object #4 found, in STATE_MAIN_R2 2016:06:28-10:36:46 motif pluto[18344]: | NAT-T: new mapping STA.TIC.HO.ME:500/4500) 2016:06:28-10:36:46 motif pluto[18344]: "L_for Remote Users"[7] STA.TIC.HO.ME:4500 #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT 2016:06:28-10:36:46 motif pluto[18344]: "L_for Remote Users"[7] STA.TIC.HO.ME:4500 #4: Peer ID is ID_IPV4_ADDR: '192.168.1.132' 2016:06:28-10:36:46 motif pluto[18344]: | peer CA: %none 2016:06:28-10:36:46 motif pluto[18344]: | L_for Remote Users: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048) 2016:06:28-10:36:46 motif pluto[18344]: | L_for Remote Users: full match (id: ok, auth: ok, trust: ok, request: ok, prio: 1216) 2016:06:28-10:36:46 motif pluto[18344]: | L_for Remote Users: full match (id: ok, auth: ok, trust: ok, request: ok, prio: 1216) 2016:06:28-10:36:46 motif pluto[18344]: | offered CA: %none 2016:06:28-10:36:46 motif pluto[18344]: | switched from "L_for Remote Users" to "L_for Remote Users" 2016:06:28-10:36:46 motif pluto[18344]: | instantiated "L_for Remote Users" for STA.TIC.HO.ME 2016:06:28-10:36:46 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: deleting connection "L_for Remote Users"[7] instance with peer STA.TIC.HO.ME {isakmp=#0/ipsec=#0} 2016:06:28-10:36:46 motif pluto[18344]: | certs and keys locked by 'delete_connection' 2016:06:28-10:36:46 motif pluto[18344]: | certs and keys unlocked by 'delete_connection' 2016:06:28-10:36:46 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: Dead Peer Detection (RFC 3706) enabled 2016:06:28-10:36:46 motif pluto[18344]: | inserting event EVENT_DPD, timeout in 38 seconds for #4 2016:06:28-10:36:46 motif pluto[18344]: | inserting event EVENT_SA_EXPIRE, timeout in 3600 seconds for #4 2016:06:28-10:36:46 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: sent MR3, ISAKMP SA established 2016:06:28-10:36:46 motif pluto[18344]: | next event EVENT_DPD in 38 seconds for #4 2016:06:28-10:36:47 motif pluto[18344]: | 2016:06:28-10:36:47 motif pluto[18344]: | *received 332 bytes from STA.TIC.HO.ME:4500 on eth2 2016:06:28-10:36:47 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:47 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:47 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:47 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:47 motif pluto[18344]: | state object not found 2016:06:28-10:36:47 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:47 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:47 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:47 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:47 motif pluto[18344]: | state object #4 found, in STATE_MAIN_R3 2016:06:28-10:36:47 motif pluto[18344]: | peer client is 192.168.1.132 2016:06:28-10:36:47 motif pluto[18344]: | peer client protocol/port is 17/65276 2016:06:28-10:36:47 motif pluto[18344]: | our client is STA.TIC.OFF.ICE 2016:06:28-10:36:47 motif pluto[18344]: | our client protocol/port is 17/1701 2016:06:28-10:36:47 motif pluto[18344]: | find_client_connection starting with L_for Remote Users 2016:06:28-10:36:47 motif pluto[18344]: | looking for STA.TIC.OFF.ICE/32:17/1701 -> 192.168.1.132/32:17/4500 2016:06:28-10:36:47 motif pluto[18344]: | concrete checking against sr#0 192.168.2.10/32 -> 0.0.0.0/0 2016:06:28-10:36:47 motif pluto[18344]: | fc_try concluding with none [0] 2016:06:28-10:36:47 motif pluto[18344]: | fc_try L_for Remote Users gives none 2016:06:28-10:36:47 motif pluto[18344]: | checking hostpair 192.168.2.10/32 -> 0.0.0.0/0 is found 2016:06:28-10:36:47 motif pluto[18344]: | fc_try trying L_for Remote Users:STA.TIC.OFF.ICE/32:17/0 -> 192.168.1.132/32:17/0 vs L_for Remote Users:192.168.2.10/32:17/1701 -> 0.0.0.0/0:17/0 2016:06:28-10:36:47 motif pluto[18344]: | fc_try concluding with none [0] 2016:06:28-10:36:47 motif pluto[18344]: | fc_try_oppo trying L_for Remote Users:STA.TIC.OFF.ICE/32 -> 192.168.1.132/32 vs L_for Remote Users:192.168.2.10/32 -> 0.0.0.0/0 2016:06:28-10:36:47 motif pluto[18344]: | fc_try_oppo concluding with none [0] 2016:06:28-10:36:47 motif pluto[18344]: | concluding with d = none 2016:06:28-10:36:47 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: cannot respond to IPsec SA request because no connection is known for STA.TIC.OFF.ICE/32===192.168.2.10:4500[192.168.2.10]:17/1701...STA.TIC.HO.ME:4500[192.168.1.132]:17/%any==={192.168.1.132/32} 2016:06:28-10:36:47 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to STA.TIC.HO.ME:4500 2016:06:28-10:36:47 motif pluto[18344]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION 2016:06:28-10:36:47 motif pluto[18344]: | next event EVENT_DPD in 37 seconds for #4 2016:06:28-10:36:51 motif pluto[18344]: | 2016:06:28-10:36:51 motif pluto[18344]: | *received 332 bytes from STA.TIC.HO.ME:4500 on eth2 2016:06:28-10:36:51 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:51 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:51 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:51 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:51 motif pluto[18344]: | state object not found 2016:06:28-10:36:51 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:51 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:51 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:51 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:51 motif pluto[18344]: | state object #4 found, in STATE_MAIN_R3 2016:06:28-10:36:51 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf09afbbb (perhaps this is a duplicated packet) 2016:06:28-10:36:51 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to STA.TIC.HO.ME:4500 2016:06:28-10:36:51 motif pluto[18344]: | next event EVENT_DPD in 33 seconds for #4 2016:06:28-10:36:54 motif pluto[18344]: | 2016:06:28-10:36:54 motif pluto[18344]: | *received 332 bytes from STA.TIC.HO.ME:4500 on eth2 2016:06:28-10:36:54 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:54 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:54 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:54 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:54 motif pluto[18344]: | state object not found 2016:06:28-10:36:54 motif pluto[18344]: | ICOOKIE: f2 fe 2c 19 ea 8e 67 7c 2016:06:28-10:36:54 motif pluto[18344]: | RCOOKIE: 2f c5 e2 b5 e6 30 54 7c 2016:06:28-10:36:54 motif pluto[18344]: | peer: 54 69 21 bc 2016:06:28-10:36:54 motif pluto[18344]: | state hash entry 19 2016:06:28-10:36:54 motif pluto[18344]: | state object #4 found, in STATE_MAIN_R3 2016:06:28-10:36:54 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf09afbbb (perhaps this is a duplicated packet) 2016:06:28-10:36:54 motif pluto[18344]: "L_for Remote Users"[8] STA.TIC.HO.ME:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to STA.TIC.HO.ME:4500 2016:06:28-10:36:54 motif pluto[18344]: | next event EVENT_DPD in 30 seconds for #4