Watchguard L2TP over IPsec passthrough

I'm attempting to connect to a VPN (L2TP over IPsec) server through (not to) a WatchGuard XTM 505 appliance.

I have the VPN server setup behind the firewall on a 1-to-1 NAT, and other protocols (such as HTTP traffic) are forwarded to that server just fine. Also, VPN connections to the machine work perfectly from behind the firewall (i.e. from the LAN).

I've made "Enabled and Available" the following policies to the VPN server:

• L2TP (opens UDP 1701)
• IPsec (opens UDP 500, UDP 4500, AH and ESP)
• PPTP (opens TCP 1723 and GRE)

Yet whenever connecting from outside, I see the following logs from the XTM console:

2011-12-27 16:24:08 iked ******** RECV an IKE packet at 1.2.3.4:500(socket=11 ifIndex=4) from Peer 123.123.123.123:48165 ********   Debug
2011-12-27 16:24:08 iked IkeFindIsakmpPolicy: -->   Debug
2011-12-27 16:24:08 iked Failed to find phase 1 policy for peer IP 123.123.123.123      Debug
2011-12-27 16:24:08 iked IkeFindIsakmpPolicy: <--   Debug
2011-12-27 16:24:08 iked ike_process_pkt : IkeFindIsakmpPolicy failed       Debug

So it seems as if the Firebox is not forwarding this traffic to the 1-to-1 NAT as it should be; rather it seems to attempting to act as the VPN server itself, intercepting the IKE request (but failing because I haven't configured it for VPN).

What am I missing? Is there some setting to force the firewall to forward VPN connection attempts along the NAT? Do I have to pre configure some sort of tunnel between the firewall and the VPN server? Perhaps I need to add a static route of some sort?