Problems with IPsec tunnel after migrating from Forigate to OPNsense

[edgarquadros]

Hello!
First of all, my apologies for writing such a long text with so many details, but I think it is necessary for understanding!
After migrating an old FortiGate 60D to OPNsense v25.7, I'm hitting my head here with one of the site-to-site IPsec VPN tunnels that we have between our office (site A) and some customers (site B and C).
The tunnel between site A and site B is working fine after migration.
But the tunnel between site A and site C isn't working after migration.
There are some differences in the tunnel configuration between site B and site C, which we had copied from Fortigate, which I'll describe below:

site A x site B (working fine!)
- LAN subnet of OPNsense 10.10.10.0/24;
- LAN subnet of remote firewall 10.51.64.0/20, 10.4.64.0/20;
- In Phase 2, we have the real LAN subnet of site A configured in the Local Network field, and the real LAN subnet of site B configured in the Remote Network field.

site A x site C (not working)
- LAN subnet of OPNsense 10.10.10.0/24;
- restricted access to the IP address of the subnet of remote firewall 10.248.16.29/29, 10.248.16.30/32, and 10.248.16.32/32;
- In Phase 2, we have a subnet 10.234.57.0/24 which does not belong to any subnet of Fortigate or OPNsense;
- In the Fortigate interface list, I had a tunnel interface with the address 10.51.234.1/32;
- In the Fortigate static routes, I had a static route to subnet 10.248.16.0/26 with the gateway 10.234.57.1;

What I did in the OPNsense:

- created the tunnel, and declared in Phase 2, the Local Subnet and Remote Subnet as we had in the Fortigate;
- The firewall rules are configured to "pass any to any" in both interfaces, LAN and IPsec, just to avoid problems during this migration;
- created a NAT Outbound in the IPsec interface, where source is the LAN subnet of OPNsense 10.10.10.0/24, the destination is the LAN subnet of the remote firewall 10.248.16.29, 30, and 32 (all /32), and the translation address is 10.234.57.1;
I think that is a policy required by the remote firewall, for some reason.

When activating this tunnel, Phase 1 is up, and Phase 2 has only one selector up (10.248.16.32).
So, when I tried to access the remote host 10.248.16.32 from a host 10.10.10.52, the traffic was being routed to the internet, not to the IPsec tunnel.

I tried some workarounds, but without success:

- tried to create a static route in OPNsense to the remote subnet 10.248.16.0/26, and selected as Gateway, Null4 - 127.0.0.1, expecting to force the traffic to go to the firewall. After that, the traffic stopped going to the internet, but is not going to the IPsec tunnel either.
- tried to include the local LAN in the Phase 2 Local Network field, but after that, the Phase 2 selector doesn't go up;
- tried to create a NAT Outbound in the LAN interface, where source is the LAN subnet of OPNsense 10.10.10.0/24, the destination is the LAN subnet of the remote firewall 10.248.16.29, 30, and 32 (all /32), and the translation address is 10.234.57.1, but it does not work too.

I'm sure that is a configuration problem on the OPNsense side, but I can't find what!
Any ideas what I can try to change/debug on the OPNsense side?

[viragomann]

site A x site C (not working)
- LAN subnet of OPNsense 10.10.10.0/24;
- restricted access to the IP address of the subnet of remote firewall 10.248.16.29/29, 10.248.16.30/32, and 10.248.16.32/32;

You probably wanted to write 10.248.16.29/32 as the first one. 10.248.16.29/29 cannot be used, since this isn't a network address.

- In Phase 2, we have a subnet 10.234.57.0/24 which does not belong to any subnet of Fortigate or OPNsense;

Where? Local or remote?

What you intend to achieve?
Masquerading the trafic with a different IP or subnet?

What I did in the OPNsense:
- created the tunnel, and declared in Phase 2, the Local Subnet and Remote Subnet as we had in the Fortigate;

How? Legacy setup or connections?

- created a NAT Outbound in the IPsec interface, where source is the LAN subnet of OPNsense 10.10.10.0/24, the destination is the LAN subnet of the remote firewall 10.248.16.29, 30, and 32 (all /32), and the translation address is 10.234.57.1;

Which settings exactly?

Do you only need access to the remote site or bidirectional access?