There are two ways I'd approach this. The quicker way is to look for clues in the firewall log on both ends of the IPSec tunnel. If that doesn't yield anything, then go through the process, step by step, of what has to happen for a workstation to update group policies and try to determine where the break is.
For the first method, make sure pfSense is logging traffic handled by all firewall rules. You'll probably want to turn this off when done because it can get voluminous (unless you have a syslog server that stores them for you, in which case, log away). Also make sure you are logging on both pfSense boxes in either end of the tunnel.
Have the affected workstation run a gpupdate. After it fails, check the firewall log in pfSense at both ends of the tunnel. Look for traffic to or from the DC's IP address being blocked. The log can be found is Status -> System Logs -> Firewall. You can Ctrl+F search the page for the DC's ip address to find what you're looking for pretty quickly.
This will tell you if a firewall rule is blocking the traffic.
Now, failing that, you'll need to do a more in depth look into the problem.
Without seeing your environment it's hard to say, but most AD related problems can be traced to DNS resolution problems of some kind. One cause of that is firewall rules blocking traffic, which the first step should eliminate as an issue.
Try running nslookup <domain.com> from command prompt on the affected workstation. If you do not get back your DC's IP address, then you have a DNS resolution issue. There are several causes of DNS issues. Check the affected workstation's DNS Server addresses, and then make sure each of those DNS servers are answering DNS requests. Use nslookup <domain.com> <ip address of DNS server> to test each one. One problem I've seen is if you have your DC as primary DNS server and then your ISP's public DNS server as a fallback, you can get in a situation where name resolution to internet sites will work but resolution to internal hosts won't. If your primary DNS server (your DC in this case) is not answering DNS queries from your workstation, for whatever reason, then the ISP's DNS server might be queried instead; the ISP's server won't be able to resolve internal host names. This would break communication between your workstations and DCs through an IPSec tunnel. In this case you'd want to determine why the DC is not answering DNS requests. This can be firewall issues in pfSense, it can also be Windows Server Firewall issues on the DC as well.
This is a good starting point. Verify that DNS resolution works as expected and correct the issue if it doesn't.