I have just configured a VPN tunnel between two OpenBSD firewalls / gateways following the VPN man page nearly word-for-word. All is working well... mostly:
On either end, on machines behind the firewall, I can connect to any service on any machine on the remote end. However, if I am on the the firewall machines themselves, I can ping machines on the remote end, but service connection fails. for instance, I can ssh to a box on the remote end from a machine behind the firewall, but if i attempt to ssh to the same remote box from the firewall itself, i get a "connection refused". This is true on both ends. Are there additional rules I need to put into pf for this type of connectivity? What am I missing? (sorry if this gets posted multiple, I'm having major gmail-suck at work)