Obtained from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774
Author: john@feith.com
We are also using this patch on pfSense for 2 months

Consider an IPSEC policy such as:

spdadd 0.0.0.0/0 XXX.XXX.XXX.XXX/32[1701] udp -P out ipsec

esp/transport//require;

spdadd XXX.XXX.XXX.XXX/32[1701] 0.0.0.0/0 udp -P in ipsec

esp/transport//require;

When triggered it sends a PF_KEY ACQUIRE message that causes ISAKMP
negotiations to occur with the remote. Unfortunately the key_acquire
routine in sys/netipsec/key.c doesn't contain any code to propagate
the port / protocol information as part of the ACQUIRE message ... as
a result racoon sees an ACQUIRE message for all traffic to the remote
system and supplies that as the proposal which fails since the remote
system is only willing to protect L2TP with IPSEC ... not all traffic.

Note that RFC 2367 3.1.6 SADB_ACQUIRE says:

The address(SD) extensions MUST have the port fields
filled in with the port numbers of the session requiring
keys if appropriate.

With the supplied patch I'm able to successfully establish a L2TP protected
by IPSEC connection from FreeBSD 10-stable to a Cisco 3845 router.