IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address
Amazon VPC provides a /30 to use as "tunnel inside addresses". They are addresses that can be configured on the VPN endpoints and can serve as an endpoint to ping or as BGP peers.
One of the addresses in the /30 can be set up as a virtual IP on lo0 (or some other interface) and the other address is configured on Amazon's VPN endpoint.
If you wish to set up the VPC side endpoint address as an address to automatically ping, it doesn't work. The logic in /etc/inc/vpn.inc only looks for ping source addresses from configured interfaces. It doesn't check virtual IP addresses.
Setting up a phase 2 entry for traffic from the virtual IP address on the pfSense box to the IP address on the VPC side and then setting the IP address on the VPC side as a host to automatically ping results in no corresponding entry being added to /var/db/ipsecpinghosts.
This affects both 2.1 and 2.2.
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'