Has anyone successfully setup a site to site ipsec vpn between Cato Networks and PFSense?
We got phase 1 and phase 2 to come up but routing is not working.
We are configured with IKEV2 and routed mode.
We are not sure what IP to assign to the PFSense VTI Interface and what IP to use for the PFSense next hop.
The Cato Management Application does not make this obvious. The CMA Only provides a native network subnet which is not a specific IP.
Not something I have used and why would a modern security company not be using a more modern protocol like Wireguard?
This should help you. Also, know the limitations of using VTI.
Great call out on the wireguard. In my experience enterprise is sloow on wireguard.
I appreciate the NetGate doc, The issue is that Cato doesn’t setup the transit network between the PFsense VTI and Cato. Cato expects the far end to send all traffic across with a 0.0.0.0/0 route. PFSense will dump all traffic across the tunnel that way and lose management access. Ask me how I know 
We did get this working.
We needed to set Private IPs for Cato and for Site under IPSEC → Primary → Private IPs.
We also needed to set a secondary direct network for the remote network under routing → Networks.
I can provide more documentation if anyone is curious.
Thank you to Tom for so many great resources.