The IPSec documentation may contain a bug.
In particular, the command is given as:
# ifconfig gif0 internal1 internal2
and then the resulting gif0 interface looks like
inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00
It would appear that the mask is missing from the command like so:
# ifconfig gif0 internal1 netmask 255.255.255.0 internal2
Even better, since example IP addresses are used in these docs, write it like this:
# ifconfig gif0 10.246.38.1 netmask 255.255.255.0 10.0.0.5
and it will be much clearer as to which IP address you are supposed to put where. The documentation never explains which end of the link is supposed to be internal1 and which is internal2. At the very least, rename them as external_remote and external_local.
Also, it will be good to specify 'inet' or 'inet6' keyword in examples.
I've just now discovered that the whole gif interface thing is optional for ipsec and not really needed unless you are doing advanced routing things. It would be good if the documentation made that clear.