Route based IPSec, traffic is not processed

Started by NicoLK, October 01, 2025, 01:07:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 01, 2025, 01:07:07 PM
Hello folks,

currently I'm trying to setup an IPSec tunnel from an OPNsense HA cluster to an Sophos XGS. I've tried using a normal policy based tunnel but it didn't work with HA. Even though I used a CARP IP (tried both WAN and LAN CARP IPs) the secondary firewall always tried to establish the tunnel as well. This caused the tunnel to crash because the OPNsense is behind a NAT Router. Also the primary firewall didn't disable the vpn connection when it was set to CARP maintenance.

Since fast fail over would be nice I tried a route based approach. However there is some stuff going on with the traffic that I can't explain.
Traffic from the Sophos reaches the OPNsense. I can see it in the firewall logs and in packet captures on wan, enc0 and on the vti. But the traffic is not processed. For example pings are not being answered or forwarded.
Doing the same thing from the OPNsense (f.e. ping the other firewall) however can be captured on the vti interface but there is no traffic on enc0 or wan.

So far I tried many things but I could not affect this behavior. I think it might be an issue that Sophos uses strongswan with an xfrm interface and OPNsense uses strongswan with vti. However I could not find any mention of these two not being compatible with each other.

I use OPNsese 25.7.4 but it also happened on 25.7.3.
The tunnel is set up with 0.0.0.0/0 for phase 2 and currently static routes are used. For testing purposes I disabled the tunnel on the secondary OPNsense firewall.

If you have any idea, let me know.
Thanks
October 01, 2025, 01:29:58 PM #1
If a tunnel gets established or not is controlled via the "Start" Policy of a child.

If you set it to TRAP it will only start if there is matching traffic. This means it will not be initiated on the backup firewall since there shouldnt be any traffic that matches the TRAP policy there until a failover happens.
Hardware:
DEC740
October 01, 2025, 04:38:23 PM #2
I've already tried that and it works for the secondary. However if put the primary firewall into CARP maintenance, it does not disconnect the tunnel.
October 01, 2025, 04:53:52 PM #3
Can you let the other side initiate?

You can set your children on NONE.

Even if a VPN tunnel remains UP, it should not matter since DPD could handle this.


You can also try UDP Encapsulation on 4500, maybe that ensures sockets are unique, otherwise it might communicate 4500-4500, source NATing both firewalls to the same outbound port if static port is enabled.
Hardware:
DEC740
Print
Go Up Pages1
User actions