several things you may need to verify:
i. the concentrator has a public ip nat on the firewall, not pat but nat.
ii. firewall permit all the required traffic, including
udp 500, udp 4500 and depends on whether ipsec over tcp has been enabled, you will also need to permit that.