IPSec VPN to Linux StrongSwan

I'm beating my head against a brick wall with an IPSec VPN configuration.  Here's the basic topology:

192.168.x.x (my lan) --> [FortiGate 20c] --> 10.1.10.x (wan) --> [Cisco/Comcast Router] --> 50.1.1.1 (my public IP) --> [*Internet*] --> 50.2.2.2 (peer's public IP) --> [Linux StrongSwan] --> 172.16.x.x (peer's lan)

I have put my FG (10.1.10.10) in the DMZ on the Comcast router to try and eliminate problems there.

My FG has a functioning tunnel-mode VPN already configured and working.  I'm adding a second, but interface mode.

So, I've read a LOT of the manuals and forum posts, etc, but can't seem to make this go.

I have:

ThisVPN Phase 1

IP Address: 50.2.2.2 (peer's public IP)

Local Interface: wan

Authentication method: Preshared Key

Pre-shared Key: xxxxxxxxxxxx (matches with peer)

Enable IPsec Interface Mode: enabled

IKE Version: 1

Local Gateway IP: Main Interface IP  (can I / should I put my public Internet IP here instead?)

P1 Proposal: AES128 / SHA512 (matches peer)

DH Group: 2, 5  (unknown if matches peer)

Keylife 86400 seconds (matches peer)

Local ID: 50.1.1.1 (my public IP, seems to be what peer expects)

XAuth: Disabled

Nat Traversal: Enabled

DPD: Enabled

ThisVPN_P2 Phase 2

P2 Proposal: AES128 / SHA512  (matches peer)

Replay detection: enabled

PFS: disabled (matches peer)

Keylife: 86400 seconds (matches peer)

Keep alive: enabled

Auto-negotiate: enabled

Selectors: all zeroes (allow everything)

Static route:

172.16.x.x --> ThisVPN

Policies:

lan --> ThisVPN

Source: MySubnet

Dest: PeerSubnet

Sched: always

Service: all

Action: allow

ThisVPN --> lan

Source: PeerSubnet

Dest: MySubnet

Sched: always

Service: all

Action: allow

When I look at some of the debug output from the CLI, I see:

IPsec SA connect 4 10.1.10.10 -> 50.2.2.2:500

If the peer has NAT-T as I do, they will be getting an IKE request from 10.1.10.10, no?  How do I fix this?

Thanks in advance for any and all help!

-Terry