Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: lfranzelas@caseworthy.com on April 02, 2026, 06:03:04 PM

Title: IPsec (swanctl / Connections UI) with NAT + overlapping subnets (AWS ↔ Azure) –
Post by: lfranzelas@caseworthy.com on April 02, 2026, 06:03:04 PM
OPNsense version: OPNsense 25.7.4 (amd64)
IPsec configuration method: VPN → IPsec → Connections (swanctl)
Deployment: AWS EC2 (2 NIC – WAN + LAN)
Azure side: Azure Virtual Network Gateway (route-based VPN)

Topology:

AWS VPC: 10.2.0.0/16
Azure VNet: also 10.2.0.0/16 (overlapping)
Target resource in Azure: 172.18.5.4 (SQL MI endpoint)
NAT on OPNsense:
Source: 10.2.0.0/16
Destination: 172.18.5.4
Translated to: 172.31.255.1
Virtual IP configured on OPNsense:
172.31.255.1/32 (IP Alias)

Goal:
Allow AWS workloads (10.2.0.0/16) to access Azure resource 172.18.5.4, using NAT to avoid overlapping address space.

IPsec Configuration:

Phase 1 (Connection):

IKEv2
Local address: 10.2.0.171 (WAN private IP)
Remote address: Azure VPN Gateway public IP
UDP encapsulation enabled

Child SA:

Local: 172.31.255.1/32
Remote: 172.18.5.4/32
Mode: Tunnel


Observed Behavior:

1. With Policies OFF
Tunnel establishes successfully (IKE + CHILD SA)
NAT works (traffic translated correctly)
But logs show repeated:
querying policy 172.31.255.1/32 === 172.18.5.4/32 out failed, not found
Traffic does not flow

2. With Policies ON
Behavior changes significantly:
Traffic uses UDP 500 instead of 4500 (no NAT-T)
NAT appears to be bypassed
Azure side no longer sees expected source IP
Tunnel unstable / traffic fails

What I've already verified:

NAT rule is correct and hit counters increment
Virtual IP (172.31.255.1) is present and active
Azure side configured with matching selectors
Azure uses route-based gateway
Security groups / NSGs allow traffic
Tunnel consistently establishes (Phase 1 + Phase 2)

What I've already verified:

NAT rule is correct and hit counters increment
Virtual IP (172.31.255.1) is present and active
Azure side configured with matching selectors
Azure uses route-based gateway
Security groups / NSGs allow traffic
Tunnel consistently establishes (Phase 1 + Phase 2)

What I'm trying to determine:

Whether this is:
Misconfiguration on my part
OR a limitation of the current IPsec implementation in OPNsense

Appreciate any guidance, especially from anyone who has successfully implemented NAT with overlapping networks in the current (swanctl) IPsec model.

Title: Re: IPsec (swanctl / Connections UI) with NAT + overlapping subnets (AWS ↔ Azure) –
Post by: viragomann on April 02, 2026, 09:18:32 PM
Did you configure the Virtual Tunnel Interfaces (VTI)?

Check the docs > IPSec > Route based (https://docs.opnsense.org/manual/vpnet.html#route-based-vti)
Title: Re: IPsec (swanctl / Connections UI) with NAT + overlapping subnets (AWS ↔ Azure) –
Post by: lfranzelas@caseworthy.com on April 02, 2026, 10:45:19 PM
i saw that in the docs but "VPN -> IPsec -> Virtual Tunnel Interfaces"  doesn't appear in my menu.
Title: Re: IPsec (swanctl / Connections UI) with NAT + overlapping subnets (AWS ↔ Azure) –
Post by: viragomann on April 02, 2026, 11:05:17 PM
So maybe it's time to update your OPNsense.
Text only | Text with Images