Problem routing WAN traffic across IPSEC

Can you give us some more details, please?

Tunnel definition, private networks …

Not quite sure what you’re after. It’s a point to point IPSec tunnel using IKEv2. Tunnel has been running for 6+ years and all other traffic across it works fine, just not this NAT rule.

 jprusch  there's not really much that could be wrong with the IPSec tunnel, but here are pictures

These Screenshots are senseless, lacking complete infos. How shall we check black squares?

ok last try: Is there an entry for the server by its IP or do you have the whole net included in your DNAT?

You likely will need a IPsec Route. 

docs.sophos.com/.../index.html

I’ve already got an ipsec route

• I've configured firewall rule and NAT rule, then added 'system ipsec_route add net 172.16.1.0/255.255.255.0 tunnelname IPSEC

Originating side is operating fine. But traffic doesn’t show up in packet capture on destination side

It looks completely fine then. Traffic is routed through IPsec. But no reply. 

I’m not going to post my IPs on a public forum. Happy to send to you in a private message if you think it will help.

Entire destination subnet is in the IPSec config. I can ping and access all servers in Site 2 from Site 1 without any problem. It’s only the DNAT from WAN which isn’t working.

Likely the problem is caused by the other peer. As you are NAT only the destination, the original WAN connection stays there. The server could send the reply directly to the peers WAN and not back to the XFRM. 

You could resolve this by doing a SNAT as well. Keep in Mind, you need to use a SNAT object, which is within your local network. So create a Host object within one of your Local Networks in Ipsec and use this in the same NAT rule. This should work. 

Wild guess: could be the precedence of rules as well.

Could you move the DNAT up to be processed first?

Likely not. You see, the NAT is hitting the packet capture. You have to read it from bottom to top. And it is natted and transfered to the XFRM. But nobody is replying. This could due multiple reasons: Firewall rule missing on Peer. Routing on Peer etc. 

You will likely resolve all of those issues with a SNAT as well. 

Yes I agree. SNAT was actually my first thought and is most logical, but if I put an SNAT in, it doesn't even route across the tunnel at all and just does straight out to the internet with no NAT or FW rules appled, which seems odd. I even tried a system SNAT. Screenshot below. If I remove the SNAT, packet capture shows it going across the tunnel, but never gets to the other end.

I also tried putting the WAN IP address on both ends of the tunnel so that the Sophos knew to return traffic to the IPSec tunnel

Before SNAT:

After SNAT:

Yes I agree. SNAT was actually my first thought and is most logical, but if I put an SNAT in, it doesn't even route across the tunnel at all and just does straight out to the internet with no NAT or FW rules appled, which seems odd. I even tried a system SNAT. Screenshot below. If I remove the SNAT, packet capture shows it going across the tunnel, but never gets to the other end.

I also tried putting the WAN IP address on both ends of the tunnel so that the Sophos knew to return traffic to the IPSec tunnel

Before SNAT:

After SNAT: