Tried to change the phase 2 selector at 172.16.192.0/16 to a network on the firewall directly (not just a route the firewall knows). Getting the same error.
============ cat /var/log/daemon.log | grep 10.2.200.0/23 =============== Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy 10.2.200.0/23 === 10.241.0.0/16 in for reqid 4, the same policy for reqid 3 exists Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy 10.2.200.0/23 === 10.241.0.0/16 fwd for reqid 4, the same policy for reqid 3 exists Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy 10.241.0.0/16 === 10.2.200.0/23 out for reqid 4, the same policy for reqid 3 exists =========== ipsec statusall ============= vpn-xxx.xxx.xxx.171: xxx.xxx.xxx.154...xxx.xxx.xxx.171 IKEv1, dpddelay=30s vpn-xxx.xxx.xxx.171: local: [xxx.xxx.xxx.154] uses pre-shared key authentication vpn-xxx.xxx.xxx.171: remote: [xxx.xxx.xxx.171] uses pre-shared key authentication vpn-xxx.xxx.xxx.171: child: 10.241.0.0/16 === 192.168.251.0/26 10.2.200.0/23 TUNNEL, dpdaction=restart L2TP-PSK: 172.26.0.151...%any IKEv1/2 L2TP-PSK: local: [172.26.0.151] uses pre-shared key authentication L2TP-PSK: remote: uses pre-shared key authentication L2TP-PSK: child: dynamic[udp/l2f] === 0.0.0.0/0[udp] TRANSPORT Routed Connections: L2TP-PSK{517}: ROUTED, TRANSPORT, reqid 4 L2TP-PSK{517}: 0.0.0.0/0[udp/l2f] === 0.0.0.0/0[udp] vpn-xxx.xxx.xxx.171{516}: ROUTED, TUNNEL, reqid 3 vpn-xxx.xxx.xxx.171{516}: 10.241.0.0/16 === 10.2.200.0/23 192.168.251.0/26 Any help would be appreciated, currently stuck. Thanks Again -Wally On Sun, Feb 18, 2024 at 12:17 AM Wally B <wvbauman...@gmail.com> wrote: > I'm working on a site to site connection from my VPC to my on prem > OPNsense VPN. > > > Cloudstack Version 4.19.0 > OPNSense Version 23.4.2 > > I have two P2 selectors setup in OPNsense and i've got a VPN customer > gateway setup with two subnets ( 192.168.251.0/26,172.16.192.0/20 ) in > Cloudstack. > > The issue im running into is, only the first address in my VPN customer > gateway gets added to the SAD. So, In the above example, since > 192.168.251.0/26 is first I can pass traffic to and from the VPC to that > subnet on prem. However, 172.16.192.0/20 is not added. > > I checked the logs on my VPC VR and found the following. > > > Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy > 172.16.192.0/20 === 10.241.0.0/16 in for reqid 3, the same policy for > reqid 5 exists > Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy > 172.16.192.0/20 === 10.241.0.0/16 fwd for reqid 3, the same policy for > reqid 5 exists > Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy > 10.241.0.0/16 === 172.16.192.0/20 out for reqid 3, the same policy for > reqid 5 exists > > > Wondering if i'm just formatting my VPN customer gateway CIDRs wrong? > > > Thanks! > Wally > > >