We have a similar issue trying to NAT incoming traffic from an AWS IPSec VPN static tunnel, out a WAN connection (see attached image and more details below).
We even used the AWS VPC VPN Wizard that comes with the paid version of pfSense. Even worked with pfSense support (Netgate), but they couldn't resolve this issue for us
I think there may be an issue with BSD NATing traffic from IPSec with the way that AWS VPC VPN.
AWS changed their IPSec VPC VPN connection settings last year, and we started to get drop-out due to more that Phase2 entries or SAs. We removed our Phase2 SAs and got the tunnels working using routing on the AWS -> VPC -> VPN Connection -> "Static Routes".
This fixed things for a bit.
Recently AWS changed their IPSec VPC VPN connection settings again, and this caused us some real problems with pfSense. We found strange traffic when capturing packets from pfSense, or capturing packets from a device outside the WAN interface of our pfSense box. We were seeing replies to AWS IPSec NATed traffic, coming back from the Internet, that were addressed to the WAN address AND the private non-NATed IP address of the AWS system. This meant that pfSense was somehow mangling the packet and sending the private IP address out the WAN. Netgate claimed it was the fault of the system on the Internet trying to communicate with to the AWS private IP. There would be no other way for the Internet system to know the private IP of the AWS system.
It seems pfSense is unable to properly NAT traffic coming from an AWS VPC static IPsec tunnel.
![2016-05-11 NATting AWS IPSec traffic out WAN.jpg](/public/imported_attachments/1/2016-05-11 NATting AWS IPSec traffic out WAN.jpg)
![2016-05-11 NATting AWS IPSec traffic out WAN.jpg_thumb](/public/imported_attachments/1/2016-05-11 NATting AWS IPSec traffic out WAN.jpg_thumb)