Hello,
I'm running the latest release of OPNsense v25.1.5. I have 4 tunnels configured using the legacy IPSec and was able to transferred them over to the new Connections and disabled the tunnels in legacy.
One of the tunnel I'm having issues which has two child objects
My FW: "192.168.2.5/32"
Other FW: "10.168.9.1/32 and 172.2.2.1/32"
I can only connect to the first Child "10.168.9.1" if I change the config and use "172.2.2.1" as first Child it will connect and "10.168.9.1" will be dropped. I have tried adding both tunnel IP into 1 child object but still the same issue only the first will connect.
I don't have this issue when using the legacy tunnel which is nearing the EOL.
For time being I have enabled legacy for "172.2.2.1" and connection for the "10.168.9.1"
Can someone please provide some help. I'm lost.
Quote from: niravopn23 on May 06, 2025, 05:56:28 PMOne of the tunnel I'm having issues which has two child objects
My FW: "192.168.2.5/32"
Other FW: "10.168.9.1/32 and 172.2.2.1/32"
Try to put both into a single child.
I already tried that but same issue, only the first IP gets connected.
Can anyone please provide some help?
Did you ever get this reolved, same issue and ended up having child objects for each.
Quote from: guyp2k on May 18, 2025, 05:47:07 AMDid you ever get this reolved, same issue and ended up having child objects for each.
Unfortunately no, I have tried separate child object and only first child obj will connect. If you got it working can you provide some guidance. Currently I have legacy tunnel for one child obj and new connections for the second.
Thank you
Hello all,
today I wanted to built up a tunnel in a similar scenario, where there are multiple Remote networks in one child SA. I also get only one SA with one of the Remote Networks established. What for a limitation is this? Is there a solution for this? Otherwise we will not be able to use OPNSense for our customers.... This is a common scenario that needs to work.
Any feedback appreciated!
I had to migrate some IPSec connections to OPNsense now and wanted to do it with new connections right from the start and faced the same issue.
Luckily I got both SPDs for the remote networks up finally after an uphill struggle by setting the "Start action" in the child settings to "Start".
You can also use "Trap+start", which should start the tunnel not before a relevant traffic is initiated.
I will test with your recommended setting and will provide feedback.
Thank you!
I have to add here, even if both remote subnets were shown up in Security Policy Database, only the first one worked in fact as long as I didn't state a unique Reqid in the child.
So a Reqid seems to be essential for the new connection with multiple remote or local subnets at this time.
I noticed that without stating a Reqid, Reqid 1 was shown for each SPD. This let me suspect that there must be something wrong with it.