I don't know if its a bug or not:
- Create an IPsec Tunnel with a dynamic endpoint in phase 1
- Set a manual SPD entry in phase 2 (for example the additional network 192.168.100.0/24 so you can use NAT rules)
After the tunnel comes up, the SPD Entry works. But when the dynamic endpoint changes IP, the tunnel comes back up and the SPD Entry becomes invalid. The NAT rules stop working.
Whenever that happens I have to manually remove the SPD entry, save the config, and then re-add it.
			
			
			
				Hi, We have a similar issue.
We phase 1 that point to a FQDN with 3 IPs associated. This phase 1 have "respond only" as connection method and "Allow any remote gateway to connect", so the initator is the firewall on the other side.
This phase 1 have multiple phase 2 associated, one of this phase 2 have a manual SPD entry that contain a private subnet. When the initiator change its exit IP seems that the SPD entry aren't updated.
 
Example:
My OPNsense have the IP: 4.4.4.4
The phase 1 have "firewall.fqdn" as remote gateway that are resolved with the following IPs:
firewall.fqdn.    300 IN  A 1.1.1.1
firewall.fqdn.    300 IN  A 2.2.2.2
firewall.fqdn.    300 IN  A 3.3.3.3
 
The phase 2 entry have the following subnet:
Local: 192.168.1.0/24
Remote: 192.168.2.0/24
Manual SPD entries: 192.168.3.0/24
 
The initiator on the other side open the s2s using the IPs 1.1.1.1, and the following SPD entries are created:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
192.168.2.0/24[any] 192.168.1.0/24[any] 1.1.1.1->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case everything works fine
 
When on the initiator side the firewall reopen connection using an IP different from 1.1.1.1 (eg. 2.2.2.2) the SPD entries are broken.
Checking the SPD we can see the following entries:
192.168.1.0/24[any] 192.168.2.0/24[any] 4.4.4.4->2.2.2.2
192.168.2.0/24[any] 192.168.1.0/24[any] 2.2.2.2->4.4.4.4
192.168.3.0/24[any] 192.168.2.0/24[any] 4.4.4.4->1.1.1.1
In this case the traffic from/to 192.168.3.0/24 aren't routed correctly.
Someone have encountered and solved this issue?
Versions:
OPNsense 24.1.1-amd64
FreeBSD 13.2-RELEASE-p9
OpenSSL 3.0.13
			
			
			
				Hi,
Same issue here with 2 ipsec tru STARLINK CGNAT dynamic IP. 
Not with landline standard dynamic IP.
Any SPD are mapped with the last and the new tunnel endpoint then, no data flows
By the way, i used tunnel isolation, mobike disable, Unique=replace
and Dynamic gateway mode enabled
Looking to dev a script to reload correctly the TUNNEL and clear all SPD enties.
So far, only disable - clear tunnel - enable makes the job - manually.
maybe it's relarive to this case:
https://github.com/opnsense/core/issues/6061
thanks for help