BSD pf firewall ipsec

#vim /etc/pf.conf
pass in quick on $outside proto udp from remote-gateway to $external_carp_addr port { 500 4500 }

#
pfctl -f /etc/pf.conf


#vim /etc/ipsec.conf
ike esp from local-network/16 to remote-network/20 \
     peer remote-gateway \
     main auth hmac-sha1 enc aes-256 group modp1536 \
     quick auth hmac-sha1 enc aes-256 group modp1536 \
     srcid local-gateway psk 'secretkey'

#

ipsecctl -f /etc/ipsec.conf

#troubleshooting and monitoring
pfctl -sr
ipsecctl -sall
ipsecctl -m
tail -f /var/log/daemon

tcpdump -n -e -ttt -i pflog0

isakmpd -K


ref:
http://www.richweb.com/ipsec_between_openbsd_cisco_asa
http://littleabroad.wordpress.com/2012/03/28/ipsec-vpn-between-cisco-and-openbsd/
http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
http://resin.csoft.net/cgi-bin/man.cgi?section=5&topic=ipsec.conf
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec