Have you seen
http://www.securityfocus.com/infocus/1859? ?
To check whether pf is blocking, use a default policy of:
This will make blocked packets appear on the
pflog0 device.
You can see these packets by using
Code:
tcpdump -eni pflog0
a console on the VPN/firewall box.