@jimp I have indeed used powershell to create the tunnel in the first instance, since without it only an insecure tunnel is possible.
According to Microsoft's documentation Windows 10 offers:
Phase 1 encryption
Type: EncryptionMethod
Accepted values: DES, DES3, AES128, AES192, AES256, GCMAES128, GCMAES256
Phase 2 encryption
Type: CipherTransformConstants
Accepted values: DES, DES3, AES128, AES192, AES256, GCMAES128, GCMAES192, GCMAES256, None
Windows 11 offers:
Phase 1 encryption
Type: EncryptionMethod
Accepted values: DES, DES3, AES128, AES192, AES256, GCMAES128, GCMAES256
Phase 2 encryption
Type: CipherTransformConstants
Accepted values: DES, DES3, AES128, AES192, AES256, GCMAES128, GCMAES192, GCMAES256, None
So the only option one has to get both Win 10 and 11 to IPSec to work is to use a method that is supported by both and pfSense. Since GCM used hardware encryption GCMAES128 seems like a good choice or CGMAES256.
The Powershell command we used to create the tunnel on both Windows 10 and 11 is:
Set-VpnConnectionIPsecConfiguration `
-ConnectionName "IPSec-cloud" `
-AuthenticationTransformConstants GCMAES256 `
-CipherTransformConstants AES256 `
-EncryptionMethod GCMAES256 `
-IntegrityCheckMethod SHA256 `
-DHGroup Group14 `
-PfsGroup PFS2048 `
-PassThru
However, despite explicitly setting Windows 11 to use GCMAES256, it presents itself to pfSense as AES_CBC_256/AES_256_GMAC, neither of which are available for selection in pfSense.
So it's not simply a matter of picking the matching encryption. AES-CBC is not available in pfSense at all. What GMAC is I don't know.
I'm stuck now.... :-(