IPsec (swanctl / Connections UI) with NAT + overlapping subnets (AWS ↔ Azure) –

Started by lfranzelas@caseworthy.com, April 02, 2026, 06:03:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 02, 2026, 06:03:04 PM
OPNsense version: OPNsense 25.7.4 (amd64)
IPsec configuration method: VPN → IPsec → Connections (swanctl)
Deployment: AWS EC2 (2 NIC – WAN + LAN)
Azure side: Azure Virtual Network Gateway (route-based VPN)

Topology:

AWS VPC: 10.2.0.0/16
Azure VNet: also 10.2.0.0/16 (overlapping)
Target resource in Azure: 172.18.5.4 (SQL MI endpoint)
NAT on OPNsense:
Source: 10.2.0.0/16
Destination: 172.18.5.4
Translated to: 172.31.255.1
Virtual IP configured on OPNsense:
172.31.255.1/32 (IP Alias)

Goal:
Allow AWS workloads (10.2.0.0/16) to access Azure resource 172.18.5.4, using NAT to avoid overlapping address space.

IPsec Configuration:

Phase 1 (Connection):

IKEv2
Local address: 10.2.0.171 (WAN private IP)
Remote address: Azure VPN Gateway public IP
UDP encapsulation enabled

Child SA:

Local: 172.31.255.1/32
Remote: 172.18.5.4/32
Mode: Tunnel


Observed Behavior:

1. With Policies OFF
Tunnel establishes successfully (IKE + CHILD SA)
NAT works (traffic translated correctly)
But logs show repeated:
querying policy 172.31.255.1/32 === 172.18.5.4/32 out failed, not found
Traffic does not flow

2. With Policies ON
Behavior changes significantly:
Traffic uses UDP 500 instead of 4500 (no NAT-T)
NAT appears to be bypassed
Azure side no longer sees expected source IP
Tunnel unstable / traffic fails

What I've already verified:

NAT rule is correct and hit counters increment
Virtual IP (172.31.255.1) is present and active
Azure side configured with matching selectors
Azure uses route-based gateway
Security groups / NSGs allow traffic
Tunnel consistently establishes (Phase 1 + Phase 2)

What I've already verified:

NAT rule is correct and hit counters increment
Virtual IP (172.31.255.1) is present and active
Azure side configured with matching selectors
Azure uses route-based gateway
Security groups / NSGs allow traffic
Tunnel consistently establishes (Phase 1 + Phase 2)

What I'm trying to determine:

Whether this is:
Misconfiguration on my part
OR a limitation of the current IPsec implementation in OPNsense

Appreciate any guidance, especially from anyone who has successfully implemented NAT with overlapping networks in the current (swanctl) IPsec model.

April 02, 2026, 09:18:32 PM #1
Did you configure the Virtual Tunnel Interfaces (VTI)?

Check the docs > IPSec > Route based
April 02, 2026, 10:45:19 PM #2
i saw that in the docs but "VPN -> IPsec -> Virtual Tunnel Interfaces"  doesn't appear in my menu.
April 02, 2026, 11:05:17 PM #3
So maybe it's time to update your OPNsense.
Print
Go Up Pages1
User actions