There is a predefined "vpnlogon" policy that permits all standard VPN protocols. You could apply that to your guest role, or selectively add what you need.
The following summarizes the ACL:
ip access-list session vpnlogon
user any svc-ike permit
user any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
user any svc-natt permit