Policy routing problems using routed ipsec tunnel

[alexwhites]

Hi everyone,
I configured a routed ipsec tunnel between OPNsense and a Zywall 310 appliance, basic configuration is this:
Site A
OPNsense 22.1.7
interface LAN: 192.168.30.0/24
interface IPSEC1: 192.168.39.2/30 (firewall rules to pass any traffic on this interface)
gateway GW2B: Interface IPSEC1, IPaddress: 192.168.39.1 (Peer address)
Policy routing (Firewall rule on LAN):
Proto: IPv4*, Source: LAN net (192.168.30.0/24), Destination: LAN-B (192.168.3.0/24), GW: GW2B
Site B
Zywall 310
interface LAN: 192.168.3.0/24
interface VTI0: 192.168.39.1/30
Policy route:
IPv4*, Source: LAN (192.168.3.0/24), Destination: LAN-A (192.168.30.0/24), GW: interface VTI0

The tunnel goes up and control ping traffic is working in both direction (192.168.39.2->192.168.39.1 and 192.168.39.1 -> 192.168.39.2).
From site A (OPNsense) ping to LAN-B is working.
From site B (Zywall) ping to LAN-A is not working: echo request from a LAN-B PC reaches correctly a LAN-A PC (I run tcpdump to see it ) but echo response from the LAN-A PC doesn't enter the tunnel to return to LAN-B (is routed to the default WAN interface).
If I use static route on OPNsense ping is working also from site B to site A, but I'd like to use policy routing as I have a second path to reach site B and I want to use this ipsec tunnel gw in a gateway group for failover.
So my question is: can you use policy routing on a routed ipsec ?
Thank you


 

[alexwhites]

Hi,
I've now a working configuration.
I had to add a rule on LAN interface of the OPNsense:
Direction: OUT; Source LAN-B (192.168.3.0/24); destination: any; GW: default; reply-to: GW2B
Now ping is working in both direction.
One minor problem is that from the OPNsense I cannot ping LAN-B and from LAN-B I cannot ping OPNsense unless I use static routes on OPNsense: do you have any hints about that?
Thank you