There isn't any documentation for it yet. You can get an idea of what it supports by perusing the code here:
https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/openvpn.auth-user.php#L127
https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/openvpn.attributes.php

Thanks for the quick response. The networking guy's not playing nice. They screwed up and not fessing up.

Is there a way to change the default ports for IPSec (500 and 4500) in pfSense?
Primarily only the ports that pfSense uses for sending requests, not for listining as I am not sure if I can change the ports in the Fritzbox.
Can I route, for example, incoming port 4501 with the NAT rules to internal port 4500? Can I route outgoing port 4500 to e.g. 4501?

EDIT

Ohh, the installed version is 2.0.2-RELEASE (i386) BTW :D

I am using Pre-Shared Keys only, so this seems to be the problem.

Thank you very much.

Ok, so I don't need to worry about them having group access to VPN stuff as long as Im on 2.1beta and the auth inside the IPSec config is set for the LDAP Server?

2.1 is stable now days.
Just some snapshot might have issues due to how snapshot work and development going on.

For the ipsec HA setup you would need different remote ip addresses since its still not possible to bind ipsec to a failover group or assign same remote peer to 2 different tunnels.

@jimp:

make sure the client(s) are also set to use NAT-T, and make sure nothing is blocking UDP/4500 between the clients and the firewall

Clients are iOS 6 devices on 3G, so no in-depth settings there. Firewall is open:
https://www.evernote.com/shard/s12/sh/659a1b61-92b4-470e-8d3c-f6c40616ce51/24d11db24ce72f1e9383166dfdcdb1e4/deep/0/Screenshot%202/4/13%204:00%20PM.jpg

You can't use NAT and IPsec together unless you're on a recent 2.1 snapshot.

@Phonebuff:

I know the PPTP is not going to be an issue but would the IPSec tunnel conflict with a GRE port forward ?

GRE is a protocol, not a port.  Provided you permit GRE ingress, the mapping should be handled by NAPT.

I have to admit that I've never had a PPTP server behind pfSense (pfS does the VPN thing very well all by itself), but from my experience of this on Cisco AdvSec/K9 installations: Port forward 1723 from the WAN IP to the internal PPTP server and GRE pass any-to-LAN on the WAN ingress rules.

Hope that helps

A better trace.

[2.0.2-RELEASE][admin@pfsense.localdomain]/root(11): racoon -F -v -f /var/etc/racoon.conf
Foreground mode.
2013-01-26 18:06:35: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-01-26 18:06:35: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
2013-01-26 18:06:35: INFO: Reading configuration from "/var/etc/racoon.conf"
2013-01-26 18:06:35: INFO: ###.###.###.###[4500] used for NAT-T
2013-01-26 18:06:35: INFO: ###.###.###.###[4500] used as isakmp port (fd=7)
2013-01-26 18:06:35: INFO: ###.###.###.###[500] used for NAT-T
2013-01-26 18:06:35: INFO: ###.###.###.###[500] used as isakmp port (fd=8)
2013-01-26 18:06:36: INFO: IPsec-SA request for 205.251.233.121 queued due to no phase1 found.
2013-01-26 18:06:36: INFO: initiate new phase 1 negotiation: ###.###.###.###[500]<=>205.251.233.121[500]
2013-01-26 18:06:36: INFO: begin Identity Protection mode.
2013-01-26 18:06:36: INFO: IPsec-SA request for 205.251.233.122 queued due to no phase1 found.
2013-01-26 18:06:36: INFO: initiate new phase 1 negotiation: ###.###.###.###[500]<=>205.251.233.122[500]
2013-01-26 18:06:36: INFO: begin Identity Protection mode.
2013-01-26 18:06:36: INFO: received Vendor ID: DPD
2013-01-26 18:06:36: INFO: received Vendor ID: DPD
2013-01-26 18:06:36: INFO: ISAKMP-SA established ###.###.###.###[500]-205.251.233.121[500] spi:1ee34d6e99489278:653e1800428e4e9e
2013-01-26 18:06:36: INFO: ISAKMP-SA established ###.###.###.###[500]-205.251.233.122[500] spi:f1ff1e51933d7b6a:7c457666c24352b8
2013-01-26 18:06:37: INFO: initiate new phase 2 negotiation: ###.###.###.###[500]<=>205.251.233.121[500]
2013-01-26 18:06:37: INFO: initiate new phase 2 negotiation: ###.###.###.###[500]<=>205.251.233.122[500]
2013-01-26 18:06:37: INFO: IPsec-SA established: ESP ###.###.###.###[500]->205.251.233.121[500] spi=61646745(0x3aca799)
2013-01-26 18:06:37: INFO: IPsec-SA established: ESP ###.###.###.###[500]->205.251.233.121[500] spi=70676050(0x4366e52)
2013-01-26 18:06:37: INFO: IPsec-SA established: ESP ###.###.###.###[500]->205.251.233.122[500] spi=223058808(0xd4b9b78)
2013-01-26 18:06:37: INFO: IPsec-SA established: ESP ###.###.###.###[500]->205.251.233.122[500] spi=4066502990(0xf261e94e)

I don't recall exactly how they had it set. Details are in the howto here on the forum somewhere.

Many people already are. It's perfectly stable for most deployments. There are still a couple rough edges here and there but not ones that most people would hit.

thanks your quick respone!

i will survey another way to setup l2tp/ipsec vpn.

thank you very much.

This worked wonderfully! Thank you, this has been driving me mad for so long.

It can work but you need to make changes to both IPsec tunnels so that they include networks for Host 1 and Host 2.

The screens are largely the same between them. Just match up the phase 1 and 2 settings.

http://doc.pfsense.org/index.php/VPN_Capability_IPsec
http://doc.m0n0.ch/handbook/ipsec.html