@MHM Cisco World as already stated in the previous answer, you can only select 1 PFS group.
PFS is not configured under the proposal section. You select "Enable Perfect Forward Secrecy" and select the Group from the drop down list, there is no option...
@ryanbess the list of ports are under the External Identity Sources and Resources (Outbound) section of the guide below
https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7...
@John Bautista is ESP blocked between the peers (a packet capture will confirm this)?
192.100.0.0/16 is not a private network, I assume you meant a public network.