IPsec any * NETWORK_C * VIRTUAL_IP_IN_NETWORK_B * NO
IPsec Network_A * NETWORK_C * VIRTUAL_IP_IN_NETWORK_B * NO
I replaced "Network_A" with "any" as suggested, but it didn't help.
"Install policy" in phase1 is checked, I verified that.
I think a firewall rule on the IPsec interface should not be neccessary because that is covered by an autogenerated rule (screenshot attached). Plus I don't see any relevant traffic being blocked in the log. Nevertheless I created the rule as you suggested, but no success.
Did you also check if there are any other routes pointing to NETWORK_C ?
It might also be an idea, to turn off automatic addition of routes under "VPN -> IPSEC -> Advanced Settings", this will enforce policy based routing.
NETWORK_A NETWORK_C <- ESP WANIP_OF_YOUR_OPNSENSE -> WANIP_OF_REMOTE_ENDPOINT
The peer ist behind NAT-T, could that cause confusion somewhere?
ping -S VIRTUAL_IP_IN_NETWORK_B SOME_REACHABLE_IP_IN_NETWORK_C
I also checked the tunnel endpoint IP in the Security database and it is correct for Network D. Only the entry for network A has this mysterious tunnel endpoint IP.
First thought:Is it possible your firewall maquerades, when forwarding to the OPNSense ?
Just for me to understand: The endpoint IP is correct when entering NETWORK_D as SPD and "mysterious" when entering NETWORK_A or did you enter both and are getting different endpoints ?
Anyway, thank you so much for your help so far!