This is easily solved in your source NAT configuration on pfSense. It's a single checkbox to not randomize ports on outbound flows. This will enable full cone NAT.

You can scope it to just your IPsec service, or whatever it is your hosting, or you can enable full cone for the whole subnet.

It is not DNAT, nor is it port forwarding. If you host a SIP proxy, SBC or peer to peer gaming, it will enable these use cases as well.

https://docs.netgate.com/pfsense/en/latest/nat/outbound.html