IPSec VPN default gateway not working

Hi Downsideup : Thank you for reaching out to the Sophos community team. Option 'Use a default gateway' route internet traffic of end machine to XG and in this scenario you may required VPN to WAN firewall rule and NAT rule to NAT/MASQ outgoing traffic to WAN ( which is coming from VPN).  

Can you please confirm these required rules are present on your XG?

If yes it is present and still issue there then please share TCPDUMP and drop packet output from XG for any public IP on which you are checking PING for testing internet after connecting IPsec (remote access).

TCPDUMP command

a) console>tcpdump  'host x.x.x.x

KBA : https://support.sophos.com/support/s/article/KB-000035939?language=en_US

Drop packet command:

b) console> drop 'host x.x.x.x

x.x.x.x is the reference public IP on which you are checking PING after connecting IPsec remote access.

Hi Vishal, I have a VPN to WAN firewall rule but don't think I have a NAT\MASQ for the WAN ip address. How do I set it up?

Hi Downsideup : Either you may create linked NAT rule during firewall rule creation time or you may create separate NAT rule by defining required settings/detailsas per below steps.

docs.sophos.com/.../CreatingSNATRule.html

V18 NAT : www.youtube.com/watch

Great, thanks Vishel. I think this is the issue!

I will have a look at this out of office hours and let you know if it resolves my issue.

As I have two WAN IP's (x.x.x.1 and x.x.x.2) on the same interface and the IPSec has been set up on x.x.x.2, should I put my NAT on x.x.x.2 or can it be set to x.x.x.1 like my SSL VPN connection? 

Hi Downsideup : Here your WAN or Internet traffic by default will be load balance by XG firewall between available active WAN gateway, so setting up NAT action MASQ is fine. MASQ will do NAT with exist interface IP address.

If traffic exists via WAN 1: NAT IP will be x.x.x.1 and if traffic exists via WAN 2: NAT IP will be x.x.x.2 with MASQ action.

Hi Downsideup : Here your WAN or Internet traffic by default will be load balance by XG firewall between available active WAN gateway, so setting up NAT action MASQ is fine. MASQ will do NAT with exist interface IP address.

If traffic exists via WAN 1: NAT IP will be x.x.x.1 and if traffic exists via WAN 2: NAT IP will be x.x.x.2 with MASQ action.

Thanks, one other thing

How do I stop get an alert email every time my test client connects and disconnects the tunnel?

Hi Downsideup,

You can turn off notifications for VPN connection from System services > Notification list.

Thanks, that worked, I should of found that  myself