IPSEC Hub to spoke VTI issue/limitation.

DV 0

Hello dear community,

Recently we have deciced to move away from dying Ciscos 2921s to PFsense. We were hoping for smooth and easy implementation. But "oh boi", we couldn't have been more wrong.

Current setup:

around 300 peers consisting 95% cisco ASAs, rest Mikrotiks and Fortigates.
We use cerificates. (OPENxpki)
dynamic peers each "brings" /25 (99% on static public IP but there are exceptions).
Peers use 2x phase 2 (/24 each) to datacenter, no communication between eachother.

Cisco is set as VTI, and I am able to see all peers /25 in routing table. Peers are all tunnel mode.

And here comes fun:
With some headache we managed to conect each type of device to PFsense. (mainly ASA working only with sha1 as hash for AES-GCM, kind of trial and error) but all good in tunnel mode.

Problem comes with VTI implementation, PFsense seems to work only with /30 transport subnet and will not let us use 0.0.0.0/0 as remote network.
With 2.7 remote gateway cannot be 0.0.0.0 in VTI

In reality we do not insist on VTI on PFsense side, but what we need is to propagate these peers /25 via OSFP futher to network. If thats doable somehow reliably with tunnel mode we are fine with that.

And thats my question, did anyone faced same/ similiar use-case in the past?
I really wonder if there is any way we can make this work or we have take different path.

Thank you

David