IPSec Traffic uses wrong port

Do you have a Ipsec Route? support.sophos.com/.../KB-000035839

We've had this issue, too.

Strange here, is we faced it only after Tunnel re-connects. Needed to add SNAT and IPSEC Routes. manually on CLI.

You probably need this commands:

system ipsec_route show

system ipsec_route add net 10.1.2.0/255.255.255.0 tunnelname YourName_Tunnel

show advanced-firewall

set advanced-firewall sys-traffic-nat add destination 10.1.2.0 netmask 255.255.255.0 snatip 192.168.1.2 (this is your firewall's LAN Interface, it needs to be part of the IPSEC Tunnel Networks)

We've had this issue, too.

Strange here, is we faced it only after Tunnel re-connects. Needed to add SNAT and IPSEC Routes. manually on CLI.

You probably need this commands:

system ipsec_route show

system ipsec_route add net 10.1.2.0/255.255.255.0 tunnelname YourName_Tunnel

show advanced-firewall

set advanced-firewall sys-traffic-nat add destination 10.1.2.0 netmask 255.255.255.0 snatip 192.168.1.2 (this is your firewall's LAN Interface, it needs to be part of the IPSEC Tunnel Networks)

I just needed this rule system ipsec_route add net 10.1.2.0/255.255.255.0 tunnelname YourName_Tunnel

Resolved my issue.

Regards

Daniel

good to hear it's solved. You need the SNAT if the XG itself needs to access hosts on the other side of the IPSEC. for example Active Directory Servers, DNS Servers to forward to etc.