I have working IKEv2 VPN between both OpenBSD 6.6 server and 6.6 client which connects to server from behind ISP NAT. My configuration is very close to FAQ with OpenBSD Client connection behind ISP NAT to a server: https://www.openbsd.org/faq/faq17.html#clientikev2
When VPN is disconnected, NAT on egress works as should be for client itself and LAN hosts connected to the client using pf.conf second NAT rule: ... match out log on enc0 inet all nat-to 10.0.5.2 tagged WEB match out log on egress from 192.168.2.0/24 to any nat-to (egress) tagged WEB ... Once VPN is connected, NAT works for client itself only, and no NAT for client's LAN connected hosts on enc0 using first rule above. For instance, there is no NAT on enc0 from VMM host 192.168.2.4 from virtual LAN 192.168.2.0/24. The same is for physical LAN connected hosts to client machine. $ telnet 172.217.21.142 80 (from LAN VMM host 192.168.2.4) tcpdump -en -i pflog0 13.29.33.694116 rule 4/(match) match out on enc0: 10.0.5.2.64401 > 172.217.21.142.80 S 3601041753:3601041753(0) win 64240 <mss 1440,sackOK,timestamp 295653344 0,nop,wscale 7> [tos 0x10] 13.29.33.694116 rule 135/(match) match out on enc0: 10.0.5.2.64401 > 172.217.21.142.80 S 3601041753:3601041753(0) win 64240 <mss 1440,sackOK,timestamp 295653344 0,nop,wscale 7> [tos 0x10] 13.29.34.316393 rule 4/(match) match out on enc0: 10.0.5.2.50426 > 192.168.2.4.59062 S 880722202:880722202(0) ack 3601041754 win 60192 <mss 1380,sackOK,timestamp 709481652 2965653344,nop,wscale 8> 13.29.34.625518 rule 4/(match) match out on enc0: 10.0.5.2.54501 > 192.168.2.4.59062 S 880722202:880722202(0) ack 3601041754 win 60192 <mss 1380,sackOK,timestamp 709481953 2965653344,nop,wscale 8> Initiator's VMM LAN SA bypassed in /etc/ipsec.conf in all directions flow from 192.168.2.0/24 to 192.168.2.0/24 type bypass flow from 127.0.0.1/32 to 192.168.2.0/24 type bypass flow from 192.168.2.0/24 to 127.0.0.1/32 type bypass responder /etc/iked.conf ikev2 'responder' passive esp \ from 0.0.0.0/0 to 10.0.5.0/24 \ local 9.8.7.6 peer any \ srcid srv.vpn \ tag "ROADW" initiator /etc/iked.conf ikev2 'initiator' active esp \ from 10.0.5.2 (0.0.0.0/0) to 0.0.0.0/0 \ => to have traffic appears for LAN hosts from 10.0.5.2 as in IPSEC.CONF(5) for NAT configurations peer 9.8.7.6 \ srcid clnt.vpn \ dstid srv.vpn /etc/pf.conf (client) ... match out log on enc0 inet all nat-to 10.0.5.2 tagged WEB ... pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound) pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound) tagged WEB ... pass in on 192.168.2.1 inet proto tcp from 192.168.2.0/24 to any port {www, https} flags S/SA modulate state tag WEB