Securing IPsec with keynote(5) and pf(4)

Some gateway configurations are very open ended and require some additional security measures.

IPsec gateways that provide security services to roaming users with Dynamic IPs are a particular concern. Suppose we have the following ipsec.conf on our gateway

ike passive esp from 10.0.0.0/8 to any srcid gwA.openbsd.org

How can we limit what our users have access to ?
How can we protect ourselves from malicious users ?