pfSense

Breaking this away from #8544 since the feature in general works aside from this separate issue.

With routed IPsec, the VTI interface (e.g. ipsec1000) has its own address. This address can communicate with its peer at the other end of the tunnel OK, but it cannot reach a subnet routed to the peer. The packet appears on the ipsecX and enc0 interfaces but no outbound ESP packet is generated for it, as if it did not match.

Communicating LAN to LAN routed across the ipsecX interface works as expected, only communication from firewall A to the LAN subnet(s) or beyond at firewall B fails. Setting a source address for ping or ssh to a LAN address enables the firewall to reach the remote LAN, similar to what was needed for tunneled IPsec in the same situation, but in this case the firewall is picking the correct source.

It's not a regression since the behavior is similar to previous behavior, so it's not a huge problem, but it would be nice to solve it if we can.

More info at https://forum.netgate.com/topic/131420/routed-ipsec-using-if_ipsec-vti-interfaces/25