pfSense

Do you have a test case setup?

When you do, let's assign this to Ermal.

I'm testing on a production system where I've been looking into a separate IPsec issue as well. Now setting up a test case on our own systems.

The situation seems to be anything egress goes the wrong way (not matching the "pass out ... route-to"), but ingress does match the reply-to. In this particular production case it doesn't matter either way as it's the same ISP on both WANs and they pass the traffic to the Internet via either connection regardless of source IP. That'll be clearer once a controlled test setup is in place to replicate.

the specific issue is the "pass out" isn't getting routed out via the correct interface. As responder it's fine, as initiator, traffic follows default route

Ermal: the test box at 172.27.44.52 has the test case setup we talked about earlier, where the "pass out" rules specify no interface. As I mentioned, it makes no diff. Go to Status>IPsec on there and try to connect a couple VPNs and you'll see.

: pfctl -ss | grep 500
vmx0 udp 192.0.2.77:500 -> 100.64.25.20:500       SINGLE:NO_TRAFFIC
vmx0 udp 198.51.100.77:500 -> 100.64.25.21:500       SINGLE:NO_TRAFFIC

following default route.

If you don't see something quickly there, let's just bring back the static routes used in every prior version, and we can revisit eliminating the need for those post-2.2.

Applied in changeset 2ecb2dafa5fa78388fd72c3360495f734cb5633c.