IPSec S2S Routing Problem

Assuming its a Policy based VPN, do you have a chance to move Route based VPN? 

If not, check this: https://community.sophos.com/xg-firewall/f/recommended-reads/121408/routing-in-xgv18-with-sd-wan-pbr

Policy based VPN follows it route based on the precedence. 

Hi, thanks for the answer.

I have VPN-connections from endpoints using dynamic IP's. I think i need a static IP to create a tunnel-interface!?

I have to create IPSec S2S with other Partners using other Vendor's VPN-Devices.

Maybe SDWAn-policy-based IPsec VPN is a new/great feature ... currently i search the error at the good/old standard-IPSec.

You need a static IP or a DDNS record. Likely DDNS resolves this for RB VPN. 

In case of your policy based routing issue: Check the SAs on XG, if the SA is not matching. ipsec status   should help. Verify there is a matching SA for your local network and your destination network. 

XG310(172.25.130.1) - INTERNET - VPN-Router - LAN(172.25.130.1/24)

That is the same IP 172.25.130.1 on both sides of the tunnel?

Sorry:

PC (172.20.10.222)- XG310(172.20.10.1) - INTERNET - VPN-Router - LAN(172.25.130.1/24)
                          ||
                      SG(172.20.10.2) - INTERNET

You can check the ipsec routes with "ip route show" instead of the route command only.

Yesterday we had massives issues with ipsec routes that sould be created dynamically but were no longer working as they did months before. Related to this post. https://community.sophos.com/xg-firewall/f/discussions/124765/ipsec-site-2-site-vpn-routes-not-deleted-or-added-on-reconnect---error-2

In the end I had to create NAT and routes manually

first check what you have:

show advanced-firewall

then add SNAT

set advanced-firewall sys-traffic-nat add destination 1.2.3.4 netmask 255.255.255.0 snatip 172.16.1.1

 ->    NAT policy for system originated traffic
        ---------------------
        Destination Network     Destination Netmask     Interface       SNAT IP
         1.2.3.4                            255.255.255.0                                         172.16.1.1

console> system route_precedence show
Default routing Precedence:
1.  SD-WAN policy routes
2.  VPN routes
3.  Static routes

VPN routes should be ahead of local static routes.

manual ipsec route creation:

console> system ipsec_route add net 1.2.3.4/255.255.255.0 tunnelname Tunnel_Name

console> system ipsec_route show
tunnelname              host/network        netmask
Tunnel_Name      1.2.3.4        255.255.255.0

Yesterday we collect some new informations.
Behind the "old" SG we have some Subnets not migrated until now.
Therefore at XG we have a static route for 172.16.0.0/12 poiting to SG.
Seems this route has Priority over my 172.25.130.1/24 VPN-connection.
If i create a VPN using an IP-Range outside the static routes the Traffic passes the VPN tunnel and reach the endpoint.
We try to move VPN on top with "system route_precedence".
But without success. (VPN is on top ... but Traffic dont use VPN)

Do we have a bug? Or is this behavior "by design"?

Thanks.

There are two different crucial to understand: 

1. Route precedence takes place in case of "the same route exists".

2. VPN routes are between SAs. So local & remote network is the Exact route. That will be considered as a VPN route. You can create a manual route, if needed via console. 

Own Traffic(XG originated Traffic) or Traffic, which needs a SNAT, will not be considered for VPN routes. 

Can you share your IPsec tunnel screenshot? Seems like you did not share the this. 

1. correct. but the VPN-Route-172.25.130.0/24 should beet the static-route-172.16.0.0/12 ?
Or am I wrong?

2. We try to access and ping from 172.20.10.222 to 172.25.130.5 . This should match the VPN(SA)- Route ?

I'll try to get VPN-Config-Snapshot from Customer

Get the Screenshot and also a print of "ipsec status" from advanced shell.