Problems with IPsec tunnel after migrating from Forigate to OPNsense

Started by edgarquadros, October 17, 2025, 03:07:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 17, 2025, 03:07:07 PM
Hello!
First of all, my apologies for writing such a long text with so many details, but I think it is necessary for understanding!
After migrating an old FortiGate 60D to OPNsense v25.7, I'm hitting my head here with one of the site-to-site IPsec VPN tunnels that we have between our office (site A) and some customers (site B and C).
The tunnel between site A and site B is working fine after migration.
But the tunnel between site A and site C isn't working after migration.
There are some differences in the tunnel configuration between site B and site C, which we had copied from Fortigate, which I'll describe below:

site A x site B (working fine!)
- LAN subnet of OPNsense 10.10.10.0/24;
- LAN subnet of remote firewall 10.51.64.0/20, 10.4.64.0/20;
- In Phase 2, we have the real LAN subnet of site A configured in the Local Network field, and the real LAN subnet of site B configured in the Remote Network field.

site A x site C (not working)
- LAN subnet of OPNsense 10.10.10.0/24;
- restricted access to the IP address of the subnet of remote firewall 10.248.16.29/29, 10.248.16.30/32, and 10.248.16.32/32;
- In Phase 2, we have a subnet 10.234.57.0/24 which does not belong to any subnet of Fortigate or OPNsense;
- In the Fortigate interface list, I had a tunnel interface with the address 10.51.234.1/32;
- In the Fortigate static routes, I had a static route to subnet 10.248.16.0/26 with the gateway 10.234.57.1;

What I did in the OPNsense:

- created the tunnel, and declared in Phase 2, the Local Subnet and Remote Subnet as we had in the Fortigate;
- The firewall rules are configured to "pass any to any" in both interfaces, LAN and IPsec, just to avoid problems during this migration;
- created a NAT Outbound in the IPsec interface, where source is the LAN subnet of OPNsense 10.10.10.0/24, the destination is the LAN subnet of the remote firewall 10.248.16.29, 30, and 32 (all /32), and the translation address is 10.234.57.1;
I think that is a policy required by the remote firewall, for some reason.

When activating this tunnel, Phase 1 is up, and Phase 2 has only one selector up (10.248.16.32).
So, when I tried to access the remote host 10.248.16.32 from a host 10.10.10.52, the traffic was being routed to the internet, not to the IPsec tunnel.

I tried some workarounds, but without success:

- tried to create a static route in OPNsense to the remote subnet 10.248.16.0/26, and selected as Gateway, Null4 - 127.0.0.1, expecting to force the traffic to go to the firewall. After that, the traffic stopped going to the internet, but is not going to the IPsec tunnel either.
- tried to include the local LAN in the Phase 2 Local Network field, but after that, the Phase 2 selector doesn't go up;
- tried to create a NAT Outbound in the LAN interface, where source is the LAN subnet of OPNsense 10.10.10.0/24, the destination is the LAN subnet of the remote firewall 10.248.16.29, 30, and 32 (all /32), and the translation address is 10.234.57.1, but it does not work too.

I'm sure that is a configuration problem on the OPNsense side, but I can't find what!
Any ideas what I can try to change/debug on the OPNsense side?
October 17, 2025, 07:14:42 PM #1
Quote from: edgarquadros on October 17, 2025, 03:07:07 PMsite A x site C (not working)
- LAN subnet of OPNsense 10.10.10.0/24;
- restricted access to the IP address of the subnet of remote firewall 10.248.16.29/29, 10.248.16.30/32, and 10.248.16.32/32;
You probably wanted to write 10.248.16.29/32 as the first one. 10.248.16.29/29 cannot be used, since this isn't a network address.

Quote from: edgarquadros on October 17, 2025, 03:07:07 PM- In Phase 2, we have a subnet 10.234.57.0/24 which does not belong to any subnet of Fortigate or OPNsense;
Where? Local or remote?

What you intend to achieve?
Masquerading the trafic with a different IP or subnet?

Quote from: edgarquadros on October 17, 2025, 03:07:07 PMWhat I did in the OPNsense:
- created the tunnel, and declared in Phase 2, the Local Subnet and Remote Subnet as we had in the Fortigate;
How? Legacy setup or connections?

Quote from: edgarquadros on October 17, 2025, 03:07:07 PM- created a NAT Outbound in the IPsec interface, where source is the LAN subnet of OPNsense 10.10.10.0/24, the destination is the LAN subnet of the remote firewall 10.248.16.29, 30, and 32 (all /32), and the translation address is 10.234.57.1;
Which settings exactly?

Do you only need access to the remote site or bidirectional access?
Today at 02:36:47 PM #2
Hello viragomann!
Thanks for reply!

QuoteYou probably wanted to write 10.248.16.29/32 as the first one. 10.248.16.29/29 cannot be used, since this isn't a network address.
Yes, you are right, it was a typo.

QuoteWhere? Local or remote?

What you intend to achieve?
Masquerading the trafic with a different IP or subnet?
Well, even the Fortigate and this IPsec tunnel were not configured by me. The guy who did it was not in the company anymore. So, 10.234.57.0/24 was at the "Local Network" field of Phase 2 of this tunnel in the Fortigate, then I just copied it.
I don't know the reason exactly, but, I suppose that it was requested by the remote customer IT team, and the remote firewall just accepts connections coming from this network 10.234.57.0/24 to make the tunnel up, and I suppose that the IP address 10.234.57.1, which is present in the tunnel interface of Fortigate, is used to masquerade the traffic.

QuoteHow? Legacy setup or connections?
As our OPNsense is on v25.7, I'm using Connections.

QuoteWhich settings exactly?

Do you only need access to the remote site or bidirectional access?
Yes, I only need access to remote devices on the remote site. The devices on the remote site never initiate a connection to my devices on the local network.

Follow the attached prints of how I did the configs on Phase 2, NAT Outbound, and Firewall Rules on our OPNsense.

BR,
Edgar
Print
Go Up Pages1
User actions