I'm glad you have it working and thanks a lot for posting back what your problem was and how you resolved it. I'm sure it'll help others.
Page 59 here http://pubs.vmware.com/view-51/topic/com.vmware.ICbase/PDF/view-51-installation.pdf in the section on "Configuring a Back-End Firewall to Support IPsec" does talk about the need to allow esp to pass through.
I think this KB article - kb.vmware.com/kb/2033171 exactly describes your problem and refers to the section on Configuring a Back-End Firewall to Support IPsec (including the esp rule) above.
Out of interest, did your external firewall log show that it had blocked the esp protocol?
Mark.