Another howto for the sake of posterity 
Create /etc/ipsec.conf on Machine A
## machine A # external IP: 111.111.111.111 # internal network: 192.168.1.0/24 ## machine B # eternal IP: 222.222.222.222 # internal network: 192.168.2.0/24 ike esp from 192.168.1.0/24 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase ike esp from 111.111.111.111 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase ike esp from 111.111.111.111 to 222.222.222.222 psk supersecretpassphrase
Create /etc/ipsec.conf on Machine B
ike esp from 192.168.2.0/24 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase ike esp from 222.222.222.222 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase ike esp from 222.222.222.222 to 111.111.111.111 psk supersecretpassphrase
Edit /etc/rc.conf.local on both machines
## start the isakmpd isakmpd_flags="-K" ipsec=YES
Allow VPN traffic on Machine A
vpn_net = "192.168.2.0/24" pass in quick on tun0 pass out quick on tun0 pass in quick on $int_if from $lan_net to $vpn_net pass out quick on $int_if from $vpn_net to any
Allow VPN traffic on Machine B
vpn_net = "192.168.1.0/24" pass in quick on tun0 pass out quick on tun0 pass in quick on $int_if from $lan_net to $vpn_net pass out quick on $int_if from $vpn_net to any
Reboot the machine to check if everything starts at boot
Runningi netstat -rn on Machine A should give something like:
Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.2/24 0 111.111.111.111/32 0 0 222.222.222.222/esp/use/in 111.111.111.111/32 0 192.168.2/24 0 0 222.222.222.222/esp/require/out 222.222.222.222/32 0 111.111.111.111/32 0 0 222.222.222.222/esp/use/in 111.111.111.111/32 0 222.222.222.222/32 0 0 222.222.222.222/esp/require/out 192.168.2/24 0 192.168.1/24 0 0 222.222.222.222/esp/use/in 192.168.2/24 0 192.168.2/24 0 0 222.222.222.222/esp/require/out
