Correct.
You'll have to create a bogus static route...

----------------------------------8<--------------------------------------
[...]
Due to the way IPsec tunnels are kludged into the FreeBSD kernel, any
traffic *initiated* by m0n0wall to go through an IPsec :tunnel gets the
wrong source IP (and typically doesn't go through the tunnel at all as a
result). Theoretically this :*shouldn't* be an issue for the *server* side
of SNMP, but perhaps the server has a bug (well, deficiency, at least)
where it :doesn't send the response out through a socket bound to the
request packet. You can fake it out by adding a bogus static route :to the
remote end of the tunnel via the m0n0wall's LAN IP (assuming that's within
the near-end tunnel range). A good test is :to see whether you can ping
something at the remote end of the tunnel (e.g. the SNMP remote) *from* the
m0n0wall. There's an :annoying but mostly harmless side-effect to this -
every LAN packet to the tunnel elicits a no-change ICMP Redirect.
[...]
To do this on 2.0, click System > Routing. On the Gateways, tab, click +
and add a gateway using your LAN IP address (check the box to disable
monitoring). Save/Apply, then go to the Static Routes tab, click +, enter
the remote VPN network in the "Destination Network" box, select the LAN IP
gateway that was created before, and add a description if you want, then
Save/Apply.
[...]
---------------------------------->8--------------------------------------

For further details see:

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

HTH

Cheers
Jan