ANSWER:

IKE traffic to establish a phase 1 tunnel runs over port 500 of the UDP protocol; a typical port scan only checks TCP ports. This is because it’s much harder to simply ‘check’ a UDP port for openness without knowing what protocol is operating on the port – many services won’t respond to a UDP packet that’s malformed, and many systems won’t send ICMP unreachable responses to indicate a non-listening UDP port. See -sU scan section here for more information.

Check the logs in the pfsense device, and turn up logging verbosity if necessary, to get some information on what’s going on with the connection attempts.

Shane Madden from http://serverfault.com/questions/381851