Thank you both for your help! The reason there was two rules is I figured I'd create one for each direction. In practice, the one worked and the other didn't, and then thanks to your helpful nudge I realized that I hadn't enabled bidirectional on the one that was working. Another element was getting the security policies set as well; apparently (correct me if I'm wrong) while the NAT policies get processed before the security policies, if the NAT is working but security rules don't allow the traffic, it still won't increment the NAT or show up in the traffic logs.
I've tweaked it, disabled the nonworking NAT policy, and updated the security policies needed additional to the existing in and out policies for the IPsec tunnel. Attached are the working NAT policy and security policies for this, for the benefit of others with a similar question.
... View more