Do not set 'External Certificate Authority' when createing the IPsec tunnel on the Satellite site.

You have to open up TCP-443 and UDP-4501 for LSVPN to work.

Unless we are doing dynamic routing, we do not need to put an IP on the tunnel interface of the satellite as it will get an IP anyway.

All firewalls must trust a common CA certificate. That CA certificate and private key needs to be on the firewall that hosts the Portal. You must select that certificate under Networks→GP→Portal→Satellite→Issuing Certificate.