There are two separate issues lurking here.  One is passing ESP (and
perhaps AH) packets, as well as port 500 for IKE.  This can even be
stateful, so IPsec SAs can only be initiated from 'inside'.  I suspect
that IPsec passthrough is listed as a 'feature' because firewalls
often tend to not forward unknown protocols, and some people view
IPsec as dangerous since they can't filter on ports within it.

The other issue is NAT.  NAT with IPsec is messy - basically the far
side (with a real address) has to install the SA with the NATed
address.  The second messy part is that if there are multiple clients,
the NAT box can't determine where to send the inbound ESP packets.  So
there is ESP-in-UDP encapsulation onto port 500, and an IKE cookie of
all zero is used to distinguish the ESP packet from IKE.  This way the
nat entry stays alive for IKE or data, and there is fatesharing
between them.  This technique is also used to get through firewalls
that don't pass ESP.  I'm just mentioning this because I suspect this
will be your next problem.

An actual ipf config fragment (addresses redacted):

pass in proto esp from XX.YY.ZZ.0/MM to any
pass in proto udp from XX.YY.ZZ.0/MM port = 500 to any port = 500

-- 
        Greg Troxel <gdt@ir.bbn.com>