I don't know if I've ever seen DHCP "under" IPSec discussed in regards to OpenBSD before.
I run IPSec for wireless security, with DHCP, but the leases are established before the ESP tunnels are established. They have to be, since I use an isakmpd(8) PKE infrastructure. Those require UDP communication between existing IP addresses for SA and flow negotiations, tunnel setup, key change, and tear down.
AFAIK, dhcpd(8) and dhclient(8) use bpf(4) for communication. I don't know, therefore, how one would go about applying ESP or AH protocols to such packets.
As for your question about enc(4), that is, as far as I know, only usable with pf(4) and tcpdump(8).
|