I recently switched a site2site IPSec (IKEv2) tunnel to OPNsense (from an old SecurePoint, the peer is a Sophos XGS3000).
I am announcing two routes to the remote but only one gets set up. The SA database shows duplicated entries for one route. The second stays absent.
The tunnel is setup to immediately setup the SAs.
The remote is setup to respond only.
If I forcefully connect from the remote end, both routes are connected.
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
margintime = 120s
rekeyfuzz = 50%
forceencaps = no
installpolicy = yes
type = tunnel
closeaction = restart
left = 217.24.x.x
right = 94.134.y.y
leftid = 217.24.x.x
ikelifetime = 28800s
lifetime = 28800s
ike = aes256gcm16-sha256-modp4096!
leftauth = psk
rightauth = psk
rightid = 94.134.x.x
reqid = 1
rightsubnet = 172.16.0.0/16
leftsubnet = 192.168.20.0/24,192.168.30.0/24
esp = aes256-sha256-modp4096!
auto = start
Any hints are highly appreciated.
Alex
In case it matters, the subnet that doesn't get routed is a "Virtual IP Address" on the same interface of the OPNsense as the network that does get routed.
Since the additional route is set up when I connect manually(forcefully) from the Sophos side, I switched the setup to "respond only" on the OPNsense side, hoping to have it come up when the remote end establishes the connection.
Yet that didn't work either :(
I renamed the topic as I am guessing this might have something to do with a virtual IP.
This is what I am trying to route:
Interface LAN: 192.168.20.1
Interface LAN: 192.168.30.1 (virtual IP)
Networks to be routed to the remote IPSec site:
192.168.20.0/24
192.168.30.0/24
Any ideas?