"
I've already tried that and it works for the secondary. However if put the primary firewall into CARP maintenance, it does not disconnect the tunnel.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Virtual private networks / Re: Route based IPSec, traffic is not processed
October 01, 2025, 04:38:23 PM #2
Virtual private networks / Route based IPSec, traffic is not processed
October 01, 2025, 01:07:07 PM
Hello folks,
currently I'm trying to setup an IPSec tunnel from an OPNsense HA cluster to an Sophos XGS. I've tried using a normal policy based tunnel but it didn't work with HA. Even though I used a CARP IP (tried both WAN and LAN CARP IPs) the secondary firewall always tried to establish the tunnel as well. This caused the tunnel to crash because the OPNsense is behind a NAT Router. Also the primary firewall didn't disable the vpn connection when it was set to CARP maintenance.
Since fast fail over would be nice I tried a route based approach. However there is some stuff going on with the traffic that I can't explain.
Traffic from the Sophos reaches the OPNsense. I can see it in the firewall logs and in packet captures on wan, enc0 and on the vti. But the traffic is not processed. For example pings are not being answered or forwarded.
Doing the same thing from the OPNsense (f.e. ping the other firewall) however can be captured on the vti interface but there is no traffic on enc0 or wan.
So far I tried many things but I could not affect this behavior. I think it might be an issue that Sophos uses strongswan with an xfrm interface and OPNsense uses strongswan with vti. However I could not find any mention of these two not being compatible with each other.
I use OPNsese 25.7.4 but it also happened on 25.7.3.
The tunnel is set up with 0.0.0.0/0 for phase 2 and currently static routes are used. For testing purposes I disabled the tunnel on the secondary OPNsense firewall.
If you have any idea, let me know.
Thanks
currently I'm trying to setup an IPSec tunnel from an OPNsense HA cluster to an Sophos XGS. I've tried using a normal policy based tunnel but it didn't work with HA. Even though I used a CARP IP (tried both WAN and LAN CARP IPs) the secondary firewall always tried to establish the tunnel as well. This caused the tunnel to crash because the OPNsense is behind a NAT Router. Also the primary firewall didn't disable the vpn connection when it was set to CARP maintenance.
Since fast fail over would be nice I tried a route based approach. However there is some stuff going on with the traffic that I can't explain.
Traffic from the Sophos reaches the OPNsense. I can see it in the firewall logs and in packet captures on wan, enc0 and on the vti. But the traffic is not processed. For example pings are not being answered or forwarded.
Doing the same thing from the OPNsense (f.e. ping the other firewall) however can be captured on the vti interface but there is no traffic on enc0 or wan.
So far I tried many things but I could not affect this behavior. I think it might be an issue that Sophos uses strongswan with an xfrm interface and OPNsense uses strongswan with vti. However I could not find any mention of these two not being compatible with each other.
I use OPNsese 25.7.4 but it also happened on 25.7.3.
The tunnel is set up with 0.0.0.0/0 for phase 2 and currently static routes are used. For testing purposes I disabled the tunnel on the secondary OPNsense firewall.
If you have any idea, let me know.
Thanks
Pages1
