IPsec IKEv2 Policy-Based VPN – Tunnel up, no traffic (public IP remote subnet)

[random257]

Hi everyone,

I'm trying to establish an IKEv2 policy-based IPsec VPN to a remote site that I do not control. The tunnel itself comes up successfully, but no traffic passes through it.

Some relevant details:
The remote network is a public IP address range.
My setup looks like this:

Code Select Expand

WAN — OPNsense — 192.168.1.0/24 — third-party router — 192.168.2.0/24
When I try to send traffic from a device in the 192.168.2.0/24 network to the remote site, I see the following entry in the OPNsense firewall logs:

Code Select Expand

LAN  2025-07-09T11:51:12  192.168.2.113  <Remote IP>  ICMP  Default deny / state violation rule
There are firewall rules on OPNsense allowing traffic from both 192.168.1.0/24 and 192.168.2.0/24 to the remote network and the other way around.
I'm on OPNsense 25.1.10. I'm not new to the firewall world, but that's my first OPNsense.

My theory:
OPNsense might be routing the traffic to the WAN interface (since the destination is a public IP) before checking whether it matches a Phase 2 selector for the IPsec tunnel.
Unfortunately, switching to route-based VPN is not an option in this scenario.

Questions:
Has anyone encountered a similar issue where policy-based IPsec to a public IP subnet results in traffic being routed incorrectly?

Is there a way to force OPNsense to treat that public remote subnet as reachable via IPsec?

[viragomann]

My setup looks like this:
Code Select Expand

Code Select Expand

WAN — OPNsense — 192.168.1.0/24 — third-party router — 192.168.2.0/24

So do you have configured the phase 2 for 192.168.2.0/24 as local network?

[random257]

So do you have configured the phase 2 for 192.168.2.0/24 as local network?

Yes I did.

[viragomann]

Code Select Expand

LAN  2025-07-09T11:51:12  192.168.2.113  <Remote IP>  ICMP  Default deny / state violation rule

According to this log line, ICMP from 192.168.2.113 to the remote IP is not allowed.
So check your LAN rules.