When using IPsec in tunnel mode, the machine will forward packets coming
  from and to the tunnel regardless of the net.inet.ip.forwarding setting.
  Is it on purpose or is it a bug?

I'd say that it is a bug (whether or not it is on purpose).  It is
considered sensible to use tunnel mode between hosts, and the SPD
entry really just indicates that if a packet is being sent it should
be encapsulated.  Logically, a received packet is first forwarded to
an interface, and then when output on that interface outbound IPsec
processing is performed, which may use a tunnel-mode SA, which
produces a new packet to be sent.


-- 
        Greg Troxel <gdt@ir.bbn.com>