IPSec connection possible with no rules for allowing ESP, UDP/500 and UDP/4500

[aponert]

My question on the forums did get no attention. So I ask it here as a question because first, I don't know wether it's a bug, or not. And second, I consider it being very important.

I'm using 2 OPNsense instances. One on a VPS hosting provider and one at home. The instance on the hosting provider has a static IP, the home box has a dynamic IP with dynamic DNS in place.
All IPSec settings are correct since the tunnels are actually working. But I can't understand WHY they are working in the way that my instances are configured:
I have no firewall rules on the WAN interfaces which allow ESP, ISAKMP and NAT-T to pass, on neither instance. Both instances have their packet filtering enabled and my tests included resetting the states.
However, when I start the IPSec Connection, it is going to be established normally and working.

According to the official OPNsense documentation, I would have to add Allow rules to the outer tunnel endpoint interfaces, as with every other firewall.

Thus, I'm now concerned about the firewall not working correctly. Or are there any automatic firewall rules created, when IPSec on OPNsense is activated?

Both instances are on version 19.1.10.

[AdSchellevis]

the rules are automatic, the upcoming 19.7 version will show these as well in the overview:

and can point to the option which controls the rule

[aponert]

Thank you, that clarifies it.