Ipsec - "ping: sendto: Permission denied" - one way trouble

[lagus]

Hi,

I'm having issues with an IPsec tunnel causing issues going out from opnsense.
It's a newly setup instance on a Netgate SG-4860 running OPNsense 19.7.2-amd64, FreeBSD 11.2-RELEASE-p12-HBSD, OpenSSL 1.0.2s 28 May 2019, Serial version.
Remote network: 192.168.2.0/24 Local network: 192.168.11.0/24

• I'm able to ping remote host network from the ipsec interface
• I get "ping: sendto: Permission denied" pinging from LAN interface on opnsense
• Devices on local side get "Request timed out" pinging remote network
• Firewall config should be open for all: LAN https://imgur.com/a/Sg70N94 IPsec: https://imgur.com/a/AG6ynhe Tunnel Interface: https://imgur.com/a/AG6ynhe 
• Remote side seems to be working without any trouble to local bot local to remote
• I have pure Ipsec rules, no Ipsec interface (accept the tunnel specifc interfaces
• Currently two tunnels configured where one is down currently down

I had to manually edit these from being 0.0.0.0/0 in the following config file.

Code Select Expand


  rightsubnet = 192.168.2.0/24
  leftsubnet = 192.168.11.0/24


Code Select Expand


/usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no


  left = REDACTED
  right = REDACTED

  leftid = REDACTED
  ikelifetime = 28800s
  lifetime = 43200s
  ike = aes128-sha256-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = REDACTED
  reqid = 1000
  rightsubnet = 192.168.2.0/24
  leftsubnet = 192.168.11.0/24
  esp = aes256-sha1-modp2048,aes256-sha256-modp2048,3des-sha1-modp2048,3des-sha256-modp2048!
  auto = route

Why is it not working you think? - Let me know if you need to understand anything else in the setup.
There seem to be something strange when I manually have to edit in the left|rightsubnet into the configuration...?