Conceptual Problem

["Richard P. Koett" <lists@telus.net>]

I have been using pf for while but just now planning to setup an IPSec
gateway. I don't think I am understanding some basic concepts correctly
and would appreciate if anyone cares to enlighten me.

My confusion is regarding the enc0 interface and my physical external
interface (which happens to be fxp0). I will ignore the internal
interface for now. The way I understand it is that packets coming in
from the Internet will pass through both enc0 and fxp0 (in that order I
think), and that I may filter on either or both of these interfaces. (At
this time I am not specifying any rules on enc0 and only filtering on
fxp0). So if I want to tunnel packets from a remote desktop to a server
behind the gateway I must first allow the esp protocol to be passed
through fxp0. Once the esp packets are received by the gateway the
encapsulation is removed and the packet inside is processed, correct?
Here's my confusion: Does the packet that was encapsulated then also
have to pass through fxp0, or has it already gone through? If it must
also pass through fxp0 then I must have rules that allow it, and if I
have rules that allow it then there is no requirement for people to use
IPSec to get in. (The objective is that users coming in through an IPSec
tunnel have unrestricted access while others have minimal access).

I also have a related question: The VPN client software (SSH Sentinel)
can send packets using an IP address belonging to the internal network
but this is optional. What are the pros and cons of using an internal
address or a dynamic (external) address? For example, if encapsulated
packets are passed through fxp0 after encapsulation is removed, and if I
am using a source address belonging to the internal network, then my
rules on fxp0 would have to allow what look like spoofed packets to
pass. This seems so wrong that I must conclude I am misunderstanding the
whole thing.

Any advice is appreciated.