Route Based IPsec Limitation

[geotek]

Scenario: Private LAN on Location A connected via OPNsense 19.7.9 to Internet. OPNsense has Route-Based IPsec tunnel to location B. Everything works as expected, except that the public IP of location B is now unreachable for hosts in private LAN of location A.

I assume that all traffic from LAN to the public IP of location B is erroneously sent via Tunnel Gateway through the tunnel instead of being Natted to the standard default route.

Is this behaviour a general design flaw of Route-Based IPsec on OPNsense or can it be solved somehow?

[franco]

More info with network addresses please, it seems to me that info from the first paragraph conflicts with the second.


Cheers,
Franco

[geotek]

Take this as an example:

Location A (OPNsense)
  LAN: 192.168.10.0/24
  Public IP: 1.1.1.1
  VPNGW1: 2.2.2.2
  Static Route: 192.168.20.0/24 => VPNGW1

Location B (Juniper SRX)
  LAN: 192.168.20.0/24
  Public IP: 2.2.2.2

IPsec Tunnel between LAN A and LAN B works fine, also does NAT Traffic from LAN to Internet. So everything is fine, except that hosts on LAN A can't reach Public IP of Location B (2.2.2.2), neither ping nor any other port responds.

Since Juniper does Route based IPsec directly and does not have an OpenVPN-like transfer-Net I have to set VPNGW1 to the public IP of site B.