OPNsense not forwarding traffic to policy based VPN

[zemanek]

Hello,

I have OPNsense instance residing in 10.111.128.128/28 which is the local encryption domain for policy based IPsec VPN, the other IPsec VPN end has 10.240.0.0/12 encryption domain.
Now, from within the OPNsense instance, I can PING a host in the 10.240.0.0/12.
When trying to PING the same host in 10.240.0.0/12 from my other local network (10.240.0.0/12 being routed to  the OPNsense instance), I can see in packet capture (both enc0 and xn0 interface) on OPNsense, that the ICMP packet arrived to OPNsense, but is not forwarded to IPsec VPN.

Any idea what could be the culprit?

OPNsense 23.7.5-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023

[zemanek]

By comparing the configuration with another OPNsense instance with similar configuration it turned out that OPNsense does not correctly clean up/revert its changes to configuration when I was switching VPN from policy based to route based and back several times.

So in the end I reset OPNsense to factory defaults and configured THE SAME from scratch and now it works.