Update on this - I disabled this tunnel in pfsense and created a new one by copy/pasting all settings, including the PSK, from the old tunnel to the new tunnel. I still cannot initiate connection from the pfsense side. There is nothing in the logs that indicates any attempt at creating a new tunnel, nothing referencing the far side IP - it's not doing a thing.
But with the new tunnel, I can successfully initiate the tunnel from the far end. When I do this, there are two shown in Status -> IPSec - one that is connected, and one that is not. If I disable the new tunnel and re-enable the old tunnel and try to connect from the far side I get the same MAC mismatched failure again. Switch back to the new tunnel - with the exact same settings - and it works.
Something's still not right. Anyone got any ideas? I'd sure like to be able to initiate from my end.