>It looks like 'keep state (if-bound)' iked.conf(5) is not present or being >respected on the return traffic to the VPN device/firewall from your internal >network. ICMP traffic is coming into the VPN device >encrypted, being >decrypted and passed to the destination. The destination responds back but >the VPN device is not taking those responses and pushing them back through >enc0.
Thank you for your response Jason. Here is the relevant pf.conf configuration, keep state (if-bound) is there, so I don't think it's the cause of the problem : pass inet proto udp from 192.168.1.109 to bge0 port 500 pass inet proto esp from 192.168.1.109 to bge0 pass on bge0 proto ipencap keep state (if-bound) pass inet from 192.168.9.208 to vlan0:network