Good Morning,
we are quite new in the OPNsense world and used mostly Sophos UTM and a few XGs in the past.
My problem is, we have several customers with multiple locations and dynamic external IPs.
With the Sophos UTM that wasn't a problem since the "any" option meant the Sophos checked the incoming IPSec-Requests and when there is a match of the Phase1/2 and PSK, the tunnel went up.
The OPNsense should be able to do the same, at least that's what our support-partner told me.
Basically what I need to do is put in a "fake" IP in the remote gateway since the configuration cannot be saved unless a remote gateway IP is given.
I tried it with the option "Allow any remote gateway to connect" and without but what happens is, one tunnel goes live but the other one(s) try to use the parameters of the first tunnel, not the ones following after.
Attached to the post there is an example configuration of what I did and how it is supposed to work.
Is there a way to get it done or if Iam wrong in my setup (which could definitely be the case) then I would appreciate any help.
In the given example there are four Sophos UTM on the remote sides, so IKEv1 is the only option.
Thank you for any help in advance =)
			
			
			
				I would try to explicitly use different IDs. Even if the IP addresses are dynamic you could use 1.2.3.4, 1.2.3.5, etc. as the remote ID and set that explicitly in the remote firewalls. As far as I know the phase 1 in StrongSwan relies on the IDs of the respective partners. Might as well try using FQDNs or email addresses like location1@mycompany.com etc. as IDs.
			
			
			
				IDs are all different and set to the specific one of each remote gateway. The support mentioned the remote gateway as the needed option to differentiate between each tunnel but thats not working.
In the log I can see which IPsec-parameters are coming from the remote sites und and which one the OPNsense provides and with that I can see the OPNsense uses the same tunnel for each incoming connection and therefore a mismatch occurs.