Without a network topology and a description of the security policy your rules are supposed to implement it is rather difficult to give meaningful/correct tips and/or advice
Code:
# Allow all vpn data
pass in quick on em1 inet proto udp from any to any port = 500
pass in quick on em1 inet proto esp from any to any
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto tcp all flags S/SA keep state
pass out on em1 inet proto udp from any to any port = 500
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto udp all keep state
pass out on em1 inet proto icmp all keep state
What are you trying to accomplish here? Only allow incoming VPN connections in the first 2 rules, and passing out the return traffic in the remaining ones?
Or only allow outgoing VPN connections?
Why don't you use
quick on the
pass out rules as well?
Some rules say
keep state, or
flags S/SA keep state but some don't. That is not consistent
If you want stateful connections, you don't have to specify
keep state. anymore. Stateful connections have been the default in pf for quite some time.