There are some posts out there that explain this, or parts of it, and
here's my contribution.
The two threads I found most helpful can be googled:
"NAT on IPSEC with OpenBSD/pf/isakmpd"
"OT - NAT on IPsec"
The issues in question are mentioned earlier in this thread and I
won't repeat them.
1 - Create a loopback interface on which NATting will be done:
# cat /etc/hostname.lo1
inet 172.16.0.1 255.255.255.0 NONE description "IPsec NAT interface"
This should be an ip of a different subnet than your internal network.
2 - Add a static route to the remote network you are trying to reach:
route add 192.168.0.0/24 172.16.0.1
3 - Configure lo1 for nat (pf.conf):
nat on lo1 from $internal_net to 192.168.0.0/24 -> lo1
4 - Create pf.conf rules:
## ISAKMP VPN
pass on lo1 inet from lo1 to 192.168.0.0/24 keep state
pass in on enc0 keep state (if-bound)
pass out on enc0 inet from lo1 to 192.168.0.0/24
pass on enc0 proto ipencap all keep state (if-bound)
pass on $ext_if inet proto esp all keep state
NB. Outgoing enc0 traffic rule must not contain "keep state"
5 - The ipsec tunnel/flows must of course be added with 172.16.0.1 as IPV4_ADDR.