Sophos XG IPsec port forwarding

Can you show us your NAT? 

Sure,

Hi Emil Naklicki,

Did you configure the matching firewall rule for the DNAT tule? If yes, can you try to change the inbound interface to Any in matching criteria for testing and see if that helps. 

Thanks,

I gave that a shot but no luck. I have the tunnel working one way (Meraki network back to Work network). I did a tracert from a work computer back to my Meraki inside network (10.241.0.0/16) and I got a loop going back and forth between my firewall and switch. I do have a static route on my work firewall 10.0.0.0/8 pointing back to my switch. Is it possible that my static route is taking over and pushing packets back to my switch even though I have a Policy IPsec site to site pointing to 10.241.0.0/16? If so can I create a static route specific to 10.241.0.0 destined traffic even though this is a Policy based IPsec tunnel and not route based?

Hi Emil Naklicki,

If the remote network overlaps with the static route, can you try to create a more specific static route? or change the route precedence and set VPN routes precedence at the top? 

You can check the route precedence from the console with the following command: system route_precedence show

For SFOS version 17:
console> system route_precedence set static policyroute vpn

For SFOS version 18:
console> system route_precedence set static sdwan_policyroute vpn

Thanks,

That would have most likely worked, thank you. I instead broke up my routing statements into smaller segments so that the remote network was no longer included. Which did fix my issue. It turns out I didn't even require port forwarding IPsec.

That would have most likely worked, thank you. I instead broke up my routing statements into smaller segments so that the remote network was no longer included. Which did fix my issue. It turns out I didn't even require port forwarding IPsec.