It's confusing at first but let me give it a go, input | output is not the same thing as the preferred command. The preferred command is used to specify a protocol while on the device so if you mistype something you get this: router2#shurn % Unknown ...
I know this one is old, but what I don't see on your Firewall is AH and ESP, I only see GRE. Also are you trying to offload the IPSEC protection to this firewall?
