Hi everyone,
I'm trying to establish an IKEv2 policy-based IPsec VPN to a remote site that I do not control. The tunnel itself comes up successfully, but no traffic passes through it.
Some relevant details:
The remote network is a public IP address range.
My setup looks like this:
WAN — OPNsense — 192.168.1.0/24 — third-party router — 192.168.2.0/24
When I try to send traffic from a device in the 192.168.2.0/24 network to the remote site, I see the following entry in the OPNsense firewall logs:
LAN 2025-07-09T11:51:12 192.168.2.113 <Remote IP> ICMP Default deny / state violation rule
There are firewall rules on OPNsense allowing traffic from both 192.168.1.0/24 and 192.168.2.0/24 to the remote network and the other way around.
I'm on OPNsense 25.1.10. I'm not new to the firewall world, but that's my first OPNsense.
My theory:
OPNsense might be routing the traffic to the WAN interface (since the destination is a public IP) before checking whether it matches a Phase 2 selector for the IPsec tunnel.
Unfortunately, switching to route-based VPN is not an option in this scenario.
Questions:
Has anyone encountered a similar issue where policy-based IPsec to a public IP subnet results in traffic being routed incorrectly?
Is there a way to force OPNsense to treat that public remote subnet as reachable via IPsec?
Quote from: random257 on July 09, 2025, 12:14:15 PMMy setup looks like this:
Code Select Expand
WAN — OPNsense — 192.168.1.0/24 — third-party router — 192.168.2.0/24
So do you have configured the phase 2 for 192.168.2.0/24 as local network?
Quote from: viragomann on July 09, 2025, 01:24:35 PMSo do you have configured the phase 2 for 192.168.2.0/24 as local network?
Yes I did.
Quote from: random257 on July 09, 2025, 12:14:15 PMLAN 2025-07-09T11:51:12 192.168.2.113 <Remote IP> ICMP Default deny / state violation rule
According to this log line, ICMP from 192.168.2.113 to the remote IP is not allowed.
So check your LAN rules.