IPsec Not Passing Packets
(2019-09-12)
Problem
IPsec tunnel to another device (in this case, a Watchguard). Tunnel shows as being up on all phase2 definitions, but no packets pass.
Diagnostics
Some exchanges appear to work, for example the IKE/IPsec negotiations and DPD communications.
Packet traces on the Fortigate show packets coming in on the tunnel, and the replies from the local target coming back to the firewall and then being encrypted and sent out. However the remote end acts like that packet never gets there.
Connections initiated from the local side show outbound packets getting encrypted and transmitted; however, again, the remote end acts like that packet never gets there. (Tracing on the Watchguard appears inferior to the abilities on the Fortigate.)
Highly Specific Local Solution
ISP at the local end provided an Arris modem of some kind that had an IPsec Application Layer Gateway (ALG) enabled on it. Even though the modem was not in NAT mode, it was still molesting outbound packets on the way out, (SPECULATION:) presumably in such a way that they would look corrupted when they arrived at the far end; because the Watchguard wasn't configured to let us know such a thing, they were silently discarded (/SPECULATION).
Anyways, turn that ALG shit off and it worked immediately.