Got the solution.
In the vpn client connection configuration you have to choose
"IPSec over TCP" and of course "Enable Transparent Tunnel".
No custom rules, no "IPSec passthru" (that's a different approach),
no custom nat rules (only the default: nat all lan) are needed.
Mmmh, sounds very strange.. IPsec NAT-T usually is achieved as IPsec over UDP..
(http://wiki.openswan.org/index.php/Firewalls)
...and from what I know, Cisco VPN is using exaclty this.
What kind of implementation is currently used?
Please, could someone check if pfSense is really encapsulating over 4500/UDP, or smthg different?
TIA
Tom