IPSEC Policy Base Routing

[davide]

I'm using OPNsense 23.1.

Creating a new IPSEC tunnel default to Policy Based Routing ([Install Policy] is cheched by default].

So I don't find any route in the routing table.

It works, but what I can't understand is how local network reach remote network without routes.
Where I can monitor the routes from local to remote?

How can an IP packet that start from a local host reach the remote host if on the firewall there is no route?

It works, but I don't understand why  :)

Sorry for the confusion, any help will be appreciated.

[Patrick M. Hausen]

So I don't find any route in the routing table.

It works, but what I can't understand is how local network reach remote network without routes.
Where I can monitor the routes from local to remote?

How can an IP packet that start from a local host reach the remote host if on the firewall there is no route?

It works, but I don't understand why  :)

As the name suggests there's an IPsec policy in place. This takes precedence over any route that might also exist. In IPsec phase 1 takes care of authentication and negotiation of parameters. Phase 2 establishes the actual tunnels.

Established connections (phase 1 and phase 2) are generally called SA - security association. You can view the SAs for both phases with this command:

Code Select Expand

ipsec status

Or use VPN > IPsec > Status Overview in the UI.

The summary display will show you all the phase 1 SAs, one per line. If you click on the tiny (i) on the right hand side, you will see all the phase 2 SAs for that connection.

HTH,
Patrick