Securing IPsec with keynote(5) and pf(4)

This approach has a few problems and can't be relied on as a single solution

very hard to debug
syntax is very cumbersome
limited usefulness when filtering roaming users
only effective to filter negotiations