I set up IPSEC site to site tunnel with OPNSense having public IP and NAT-ed Fortigate on the other site.
Fortigate is behind ISP router, its WAN has private IP, all necessary ports are forwarded from ISP router to Fortigate:
OPNSENSE (PUBLIC IP) ---- ISP (PUBLIC IP) --- Fortigate (Private IP)
With other devices, for IPSEC site to site tunnel to work, all it took was to setup remote (FG) ID as it's private IP.
With OPNSense I just can't make it work with same configuration. Log says:
looking for peer configs matching OPNSensePublicIP[%any]...ISPPublicIP[FGprivateIP]
no matching peer config found
What am I doing wrong?
So you set up a legacy IPSec?
Should consider that this is deprecated and will be not available anymore in future versions.
Quote from: ivica.glavocic on September 30, 2025, 10:00:06 AMWith other devices, for IPSEC site to site tunnel to work, all it took was to setup remote (FG) ID as it's private IP.
Don't know, what you did configure there.
Anyway you have to differ the remote gateway from the remote identify.
If the remote endpoint is behind a router you have to specify the routers public IP as remote gateway. But the remote identifier could be something else like the local IP of the Fortigate (probably default).
If the remote site is sending its local IP as identifier you have to specify this in your setup. Or try to set the identifier to "automatic".