Unfortunately, I don't have a -current machine to test this with right
  now. I do have a netbsd-4 machine and can confirm that it works
  without the listen statements present in the racoon.conf file. There
  should be very little difference between the ipsec-tools cvs branch
  and the *very* soon to be released ipsec-tools 0.7 branch. My
  understanding is that 0.7 will be shipped with netbsd-4.

If what you're saying is:

  ipsec-tools HEAD works fine on netbsd-4 (meaning w/o listen statements)
  ipsec-tools 0.7 branch works fine on netbsd-4

then the probably there's a latent issue that is provoked in current,
and it's not nothing to do with the recent changes in ipsec-tools.
Certainly my recent testing is making me think that's the case.