IPSec VTI is a dream...
Have been running pfsense for quite many years incl. IpSec
and have always found the strange and cumbersome way
the traditional IpSec handles the "routing" of subnets a bit frustrating.
This until the VTI was introduced which has been very liberating.
I REALLY do like this and has worked wonders in my system where
OS based routing could be used and there is full transparent
of what goes where... I would like to thank the one adding this.
And of course to all the contributors to the whole pfsense project. Kudos...
I have a dual site to site IpSec VTI setup where everyone routes to everyone
as all was all within same location.
Location 1. Location 2. Location 3.
Lan1 - pfsense1 -IpSec - pfsense2 - Lan2 / IpSec - pfsense3 - Lan3
#1. 192.168.120.0 / 121.0
#2. 192.168.10.0 / 12.0
All 5 nets could reach each other from any of the locations.
Of course through rules...
Works like a charm. One thing to think of is that the transport net sometimes
will be the source address of packets so this needs to be included in rules...
Have not tested routing protocols such as ospf yet as my net is to small
and feels a bit overkill.
As I have everything setup working with VTI I could help out if I can
if someone's need any help, hints to the right direction and possible pitfalls.