Actually yes, I was able to figure this one out.
I was able to fix it. I contact their tech folks and I found out that the VPN client uses standard ports to initiate communications and also to authenticate (443, 4500, 500, etc.) But when it goes into the authenticated role that the protocols uses are ESP and GRE.
I know right? So, in short the initial communication is established over the common IPSEC ports but once authenticated and in order to take advantage of the big pipe facing the internet, they must be able to communicate back to their VPN appliance over the mentioned protocols.
I hope that makes sense, sometimes my mind races with thought and ideas but my fingers write gibberish...