AWS Site-to-Site VPN authentication failing for Customer Gateway behind NAT device

We are creating an AWS Site-to-Site VPN connection between a client's on-premise network and our AWS VPC. The client receives an authentication error when attempting to establish a connection (using a pre-shared key).

In order to debug this, we ran strongSwan on an EC2 instance to be able to inspect the logs and traffic. While doing this, we could see that they were attempting to connect from IP address 1 (e.g. 1.0.0.1) but using IP address 2 (e.g. 1.0.0.2) as an ID. When we setup strongSwan to authenticate against IP address 2 (e.g. 1.0.0.2), the connection was established successfully. We have since learned that IP address 1 (e.g. 1.0.0.1) is their NAT device, and IP address 2 (e.g. 1.0.0.2) is their customer gateway device.

To my question: how can I setup the AWS Site-to-Site VPN connection and customer gateway so that they can be authenticated successfully? If I create the customer gateway with IP address 1 (e.g. 1.0.0.1, NAT device) they can connect but can't authenticate. If I create the customer gateway with IP address 2 (e.g. 1.0.0.2, customer gateway device) they can't connect at all.