IPSEC ESP uses wrong source IP
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
Just in case someone face same issue: I had to specify a separate Outbound NAT rule for ESP:
Protocol: ESP
Source: This Firewall (self)
Destination: Any
Address: VIP address