To pass IPsec traffic through a firewall, you'll need the following ports/protocols open in both directions:
If you are NATing (Network Address Translation) the traffic on one, or both sides, you will need to make sure you have NATTraversal support on both gateways.
The Shorewall firewall works well with OpenSwan and is very well documented. Simply make up some names for the remote vpns in the zones file, describe which IPSEC interface to use based on the names in the zone file, describe how the networks named in the zones file interact in the policy file, and define the public ip address of the remote sites in the tunnels file. Shorewall automatically makes the rules necessary to allow IPSEC for the networks named in the tunnels file. Each of the configuration files is very well documents with comments. see http://www.shorewall.net
Some firewalls, particularly DSL sharing boxes try to be "helpful" for IPsec. Specifically, they NAT port 500 on the inside to port 500 on the outside, and are able to pass ESP traffic through them. This sometimes works. In most cases, it does not work with two systems behind the NAT, and it won't work when you want to talk to two destinations.
Worse, the helpfulness of leaving IKE packets on port 500 means that often even if you have proper NAT-traversal at the end points, you will fail to notice that you need to do NAT.
See also the FreeS/WAN documentation on firewalls.
Some common devices, and their problems
