Traffic won't go through policy based S2S IPSec tunnel

Hello,

Greetings,

You may review once as below:

community.sophos.com/.../sophos-xg-firewall-troubleshooting-site-to-site-ipsec-vpn-issues

https://support.sophos.com/support/s/article/KB-000035835?language=en_US

Also, adding the 100.270.x.x in the remote subnet should not be an issue as far as we are defining the local and remote network same at both the ends. Also, there is no need of adding the SNAT unless specific requirement to perform SNAT.

Also, set the route precedence as static,VPN,SD-WAN and validate it!

Hi Mayur, thanks for your reply. I have followed the mentioned articles and I can't find the mistake I'm making.

I think I have to clarify my configuration:

Local Subnet: 10.0.0.0/23
Local NATed Subnet: 100.270.xx.xx/24

Remote Subnet: 193.158.xx.xx/27

S2S IPSec tunnel is up and running

Route table is also looking good:

tcpdump is showing the following:

Port8 is my WAN. I tried http and ping.

Hello,

It seems wrong NAT added as well as the subnet chose is having different subnet mask for local and NATed LAN. We suggest referring below KBA to validate if you wish to perform overlap concept in VPN.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SiteToSiteVPN/HowToArticles/S2sVPNIPsecConnectionConfigureNAT/index.html#sophos-firewall-1-configure-an-ipsec-connection

If the requirement is only to perform the SNAT for the outgoing traffic, you may add SNAT IP in the LAN to VPN firewall rule.

If you still finds an issue, we suggest raising the support case!

Hi, sorry typo on my end. I have corrected this in my post, its definitely a /24 subnet. Firewall rules are set as needed, this seems not to be the issue. drppkt is showing me no drops either. I think I will then raise a support case. Thanks for your support!