Thinking -pf@ or -net@ would be a better place to discuss this, more chances of getting an answer. Out of curiosity why not use a gif interface ? I had that working just fine with racoon and was able to actually firewall traffic on it with PF, iirc.