I think I have resolved my issue with routing all packets through an
IPsec tunnel. I set the default gateway of the client computers at the
far end of the tunnel to the router in the tunneled subnet. This seems
to work perfectly except now I see in my firewall logs:
04:37:40.453835 sis0 @0:10 b aaa.bbb.ccc.ddd,80 -> 192.168.20.25,1879 PR
tcp len 20 48 -AS IN
even though I have set a rule to allow anything coming in on LAN (sis0)
destined for the 192.168.20.0/24 subnet to be passed.