This is what I think. Thank you for confirming it. 

Good to know that!  Would you mind sharing with me the final topology? It would be interesting for me to find out if this is what I have in my mind.

The "allow" ACL rules are not necessary.

Unlike Cisco IOS/ASA, you don't need to create ACLs manually to allow VPN traffic. Just setting up the tunnel will automatically allow and NAT exempt such traffic. Regarding the disappeared NAT-T setting, that is indeed weird. Not sure if the reboot ...

That setup is supposed to work, so you might want to try again. Otherwise you can also back up the config file and open a support case to check where the problem is.