IPSEC - Auto generated rules are ignored, preventing tunnel renewal

[qit-jules]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x ] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x ] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

The automatically created VPN rules for IPsec do not allow traffic on the WAN interface. The traffic runs into the "Default Deny" rule. This issue has been observed across several updates. There is no block statement before the automatic rules.

To Reproduce

When creating an IPSEC (legacy) IKEv1 or IKEv2, firewall rules are created automatically, and the tunnel comes up. Occasionally, when the tunnel renews, the incoming VPN requests run against the "Default Block Rule" for UDP/500 or UDP/4500, even though these ports are set to allow in the automatic rules. The issue is inconsistent, because many other VPN tunnels are not blocked.

Expected behavior

The automatic rules should be considered before the default deny, allowing the IPSEC tunnel to build.

Describe alternatives you considered

Creating manual "Allow" rules for UDP/500 or UDP/4500 bypasses the issue. Deleting the manual "Allow" rule after bypassing the issue does not break the traffic flow again until the tunnel needs to renew. When the tunnel renews and if no manual rule is in place, the tunnel will fail to build because of Default deny.

Screenshots

Relevant log files

(see screenshot)

Additional context

Add any other context about the problem here.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.11_2-amd64
FreeBSD 14.1-RELEASE-p6
HA pair of virtual machines deployed in VMware