I don't think your issue is an "ID-ten-Tee" error.
- I used your ipsec.conf file to set up the SAs and Flows.
- I ran isakmpd with -Kvd to collect logs.
- PF was the default wide-open pf.conf in my first test, and then a simple one line standard match out on egress from !(egress) nat-to (egress) copied and pasted from one of my machines, which is even more wide-open than the default.
