VPNs: The enc Interface
Once you've set up IPSec, you can do your filtering on the enc interfaces:
pass on enc0 from $allowedsource to $sechosts port $allowedin
pass on enc0 from $myhosts to $remotedest port $remoteports
OpenBSD 4.8 onwards: enc is cloneable, you can have more than one