IPsec VPN from OPNsense Instance Running in Google Cloud

[jeffh]

I set up a Google Cloud Compute Engine instance running OPNsense 25.1 (with all updates applied). I'm attempting to set up an IPsec site-to-site VPN with a remote device and the connection is failing to establish.

The LAN and WAN interfaces both have RFC 1918 addresses assigned. GCP does not provide a mechanism to bind a legally routable IP directly to the network interface. GCP performs a 1:1 static NAT to/from the RFC1918 address to the legally routable external IP address.

The remote VPN endpoint only knows about the legally routable IP. It does not support aggressive mode, nor does it support NAT Traversal.

I know from working with Strongswan and other IPsec VPN solutions, that it's possible to specify the IP address to use for the outer tunnel. This allows me to specify the legally routable external IP address that's presented to the remote IPsec gateway.

I've been trying to determine where to input that into the IPsec VPN configuration in OPNsense. I've tried in the Phase 1 settings but the debug logs show a bind error which tells me it doesn't like that the IP is not assigned directly to the WAN interface.

Any thoughts on how to resolve this?

[jeffh]

Sometimes I wonder why "Legacy" options are removed from products. The new "Connections" section for IPsec is significantly more difficult to configure, and the Legacy option just worked!

I reverted back to Legacy and the tunnels came right up!

So...why is Legacy being removed in 26.1 and being replaced with something that is harder to configure?