The VPN connection is only successful when the firewall is disabled.

ESET Smart Security
Version 3.0.650.0

Filtering mode:
Interactive

Set Protection mode:
Allow sharing on company subnet.
Allow sharing on private subnet.

IKE Daemon allowed and rule created when prompted on first connection attempt.

ESET Smart Security does not prompt for anything else.

Nothing in logs.

I uninstalled ESET SSS, restarted.
Installed ESET SSS (same version, no newer available for trial).
Entered advanced setup as before.
Set the firewall to interactive mode as before.
Allowed sharing in both zones (on company LAN, on private LAN) as before.

This time SSS caught requests for port 4500 (NAT-T) and inbound traffic for IKE (500). The first time it only requested me to handle outbound traffic for IKE (500).

I "love" the non-scientific approach (uninstall, install) that solved this problem.

PS: SSS then added one outbound rule for the VPN client with no restrictions; same for inbound. I manually added a rule with no restrictions earlier as well, which allowed both directions TCP & UDP.