Traffic ist routed trough IPSecVPN from Sources other than defined in Phase2.

[Barney Calhoun]

Hello List,

thanks to get your attention...I'm managing a OPNsense (v21.1.6) with two external and about 5 internal interfaces let's call them Zones. One internal Zone, connected to a physical internal interface should communicate to Segment: 1.2.3.0/24 (for Example) through the second external interface which works fine, and an other internal Zone which is connected to a VLAN-Interface should communicate, unfortunately, to the identical IP-Range (1.2.3.0/24) through an IPSec-VPN.

So to be clear:
192.168.1.0/24 on Int1 through Ext2 to 1.2.3.0/24
and
192.168.2.0/24 on VLAN2 through an IPSecVPN to 1.2.3.0/24

The destinations (1.2.3.0/24) are different serviceproviders for different purposes.

So i've configured phase2 of the IPSecVPN with the obove source net (192.168.2.0/24) and destination.
First it all worked fine, which was clear to me, because i configured the source (192.168.2.0/24) in phase2, so the IPSecVPN should not be used for source 192.168.1.0/24...but a couple of days later i realized that it did that, the traffic comming from 192.168.1.0/24 was routed through the IPSecVPN to the wrong Serviceprovider.

Maybe this scenario is unsupported, are there any hints what to do in such a case (identical target IP-Ranges with diferent providers)?

any help is welcome...

[Patrick M. Hausen]

You could try to create a route based VPN and force a gateway through firewall rules. But with policy based you are stuck - the kernel will encapsulate everything that matches your phase 2 SA and send it to the peer.