Ah, thank you for the clarification. I will restate the problem, to ensure I understand:
An inbound packet that establishes a state will not have outbound packets assigned to the tagged queue, as state was established without a tagged queue.
Perhaps, all that is needed is:
Code:
pass out on $ext_if inet proto esp from any to any queue data_ipsec
pass in on $ext_if inet proto esp from any to any queue data_ipsec
The state will then be established with the assigned tag. Of course, on inbound traffic there won't be anything to queue.