OPNSense uses default gateway instead of IPSec routed VPN

flyshoo · February 15, 2025, 01:30:48 AM

Hello Forum,
I have an issue when using an IPSec routed VPN for some reason the firewall chooses the default gateway instead of the VPN gateway.

Here is the setup.

Cisco router using static routing as the gateway, 172.24.1.1, for the subnet and there is a static route pointing to the OPNSense firewall, 172.24.1.251, as the next hop for a network across an IPSec routed VPN.

When traffic is sent to the network across the VPN I get this response from the router;
From 172.24.1.1 icmp_seq=9 Redirect Host(New nexthop: 172.24.1.251)
From 172.24.1.1 icmp_seq=10 Redirect Host(New nexthop: 172.24.1.251)
From 38.x.x.x icmp_seq=10 Destination Net Unreachable
From 172.24.1.1 icmp_seq=11 Redirect Host(New nexthop: 172.24.1.251)
From 38.x.x.x icmp_seq=11 Destination Net Unreachable

The response is telling the host the next hop is the OPNSense firewall and firewall is sending it out to the internet, 38.X.X.X address, instead of sending it over the VPN.

I'm new to OPNSense so any help is appreciated.
TIA,
Fly

meyergru · February 15, 2025, 09:59:04 AM

Sounds like the Cisco is not routing over the OpnSense but instead tells the clients to use it, but they do not care.

Consider if your setup is correct: If all of your client were behind the OpnSense (in another subnet) and not alongside of it, you could route all of their traffic through OpnSense, then decide there where to go and use either the VPN or the Cisco gateway.

flyshoo · February 27, 2025, 12:34:12 AM

Turned out to be the router was redirecting the traffic and sending that message.
To resolve I had to disable ip redirects under interface configuration mode, no ip redirects.

OPNSense uses default gateway instead of IPSec routed VPN

flyshoo

February 15, 2025, 01:30:48 AM

meyergru

February 15, 2025, 09:59:04 AM #1

flyshoo

February 27, 2025, 12:34:12 AM #2