@keyser Thanks for your input. Your advice helped me validate that the IPSec VPN was working and gave me insight into my flawed testing approach. Let me share some background on what I was doing; perhaps this thread will help someone else in the future.
Network Configuration
192.168.0.254 is the LAN1 interface IP of the firewall.
The firewall is configured as a DNS resolver to 1.1.1.1 and 1.0.0.1 for the LAN1, WAN1 and Localhost interfaces
The firewall DNS resolver has an override for the xxx.org domain to use 192.168.0.110 and 192.168.0.111 which are DCs on the local network.
192.168.0.110 and 192.168.0.111 point to 192.168.0.254 for upstream DNS.
The DCs run an IPv4 DHCP server with scope 192.168.0.0/24.
LAN clients are allocated an IP address out of this range and passed 192.168.0.110 and 192.168.0.111 as DNS servers and 192.168.0.254 as the gateway.
DNS Resolution
Internal DNS serves gateway.xxx.org as 192.168.254.
75.x.y.65 is the WAN1 interface IP
External DNS serves gateway.xxx.org as 75.x.y.65
I was testing from a laptop which was connected to the LAN. Since I was not outright blocked and since it seemed like the RADIUS authentication testing was working I assumed there was something wrong with my IPSec configuration. It was not until seeing in the logs where it was not finding an IPSec profile and your comment about receiving the inbound request at the private IP that I realized that the problem likely was that I was connected to the LAN. I disconnected from the LAN and test tethered the laptop to a hotspot and attempted to connect to the VPN and BINGO - worked first time. I then further refined my Phase 1 and Phase two as follows:
Phase 1 Proposal
c7c7371e-70da-4140-b55a-7b2b48c9ec2a-image.png
Phase 2 Proposal
47252ac2-b53b-4786-9a47-047d7eb1ef26-image.png
Windows 11 Client Configuration
66b90f73-c084-4f9d-b8d8-579527d17b71-image.png
I validated this configuration from the hotspot connected laptop and everything worked great! It would be great if I could test IPSec connectivity from a LAN connected device without disconnecting and tethering to the hotspot, but it sounds like this may not be possible based on your response.
Thanks again!