"Quote from: viragomann on July 09, 2025, 01:24:35 PMSo do you have configured the phase 2 for 192.168.2.0/24 as local network?
Yes I did.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Production Series / Re: IPsec IKEv2 Policy-Based VPN – Tunnel up, no traffic (public IP remote subnet)
July 11, 2025, 08:37:32 AMYes I did.
#2
25.1, 25.4 Production Series / IPsec IKEv2 Policy-Based VPN – Tunnel up, no traffic (public IP remote subnet)
July 09, 2025, 12:14:15 PM
Hi everyone,
I'm trying to establish an IKEv2 policy-based IPsec VPN to a remote site that I do not control. The tunnel itself comes up successfully, but no traffic passes through it.
Some relevant details:
The remote network is a public IP address range.
My setup looks like this:
When I try to send traffic from a device in the 192.168.2.0/24 network to the remote site, I see the following entry in the OPNsense firewall logs:
There are firewall rules on OPNsense allowing traffic from both 192.168.1.0/24 and 192.168.2.0/24 to the remote network and the other way around.
I'm on OPNsense 25.1.10. I'm not new to the firewall world, but that's my first OPNsense.
My theory:
OPNsense might be routing the traffic to the WAN interface (since the destination is a public IP) before checking whether it matches a Phase 2 selector for the IPsec tunnel.
Unfortunately, switching to route-based VPN is not an option in this scenario.
Questions:
Has anyone encountered a similar issue where policy-based IPsec to a public IP subnet results in traffic being routed incorrectly?
Is there a way to force OPNsense to treat that public remote subnet as reachable via IPsec?
I'm trying to establish an IKEv2 policy-based IPsec VPN to a remote site that I do not control. The tunnel itself comes up successfully, but no traffic passes through it.
Some relevant details:
The remote network is a public IP address range.
My setup looks like this:
Code Select
WAN — OPNsense — 192.168.1.0/24 — third-party router — 192.168.2.0/24When I try to send traffic from a device in the 192.168.2.0/24 network to the remote site, I see the following entry in the OPNsense firewall logs:
Code Select
LAN 2025-07-09T11:51:12 192.168.2.113 <Remote IP> ICMP Default deny / state violation ruleThere are firewall rules on OPNsense allowing traffic from both 192.168.1.0/24 and 192.168.2.0/24 to the remote network and the other way around.
I'm on OPNsense 25.1.10. I'm not new to the firewall world, but that's my first OPNsense.
My theory:
OPNsense might be routing the traffic to the WAN interface (since the destination is a public IP) before checking whether it matches a Phase 2 selector for the IPsec tunnel.
Unfortunately, switching to route-based VPN is not an option in this scenario.
Questions:
Has anyone encountered a similar issue where policy-based IPsec to a public IP subnet results in traffic being routed incorrectly?
Is there a way to force OPNsense to treat that public remote subnet as reachable via IPsec?
Pages1
