Problem routing WAN traffic across IPSEC

Can you give us some more details, please?

Tunnel definition, private networks …

Not quite sure what you’re after. It’s a point to point IPSec tunnel using IKEv2. Tunnel has been running for 6+ years and all other traffic across it works fine, just not this NAT rule.

I’ve already got an ipsec route

• I've configured firewall rule and NAT rule, then added 'system ipsec_route add net 172.16.1.0/255.255.255.0 tunnelname IPSEC

Originating side is operating fine. But traffic doesn’t show up in packet capture on destination side

It looks completely fine then. Traffic is routed through IPsec. But no reply. 

I’m not going to post my IPs on a public forum. Happy to send to you in a private message if you think it will help.

Entire destination subnet is in the IPSec config. I can ping and access all servers in Site 2 from Site 1 without any problem. It’s only the DNAT from WAN which isn’t working.

Likely the problem is caused by the other peer. As you are NAT only the destination, the original WAN connection stays there. The server could send the reply directly to the peers WAN and not back to the XFRM. 

You could resolve this by doing a SNAT as well. Keep in Mind, you need to use a SNAT object, which is within your local network. So create a Host object within one of your Local Networks in Ipsec and use this in the same NAT rule. This should work. 

Wild guess: could be the precedence of rules as well.

Could you move the DNAT up to be processed first?

Likely not. You see, the NAT is hitting the packet capture. You have to read it from bottom to top. And it is natted and transfered to the XFRM. But nobody is replying. This could due multiple reasons: Firewall rule missing on Peer. Routing on Peer etc. 

You will likely resolve all of those issues with a SNAT as well. 

Yes I agree. SNAT was actually my first thought and is most logical, but if I put an SNAT in, it doesn't even route across the tunnel at all and just does straight out to the internet with no NAT or FW rules appled, which seems odd. I even tried a system SNAT. Screenshot below. If I remove the SNAT, packet capture shows it going across the tunnel, but never gets to the other end.

I also tried putting the WAN IP address on both ends of the tunnel so that the Sophos knew to return traffic to the IPSec tunnel

Before SNAT:

After SNAT:

But if the firewall is missing on peer, or routing, it should at least appear in the packet capture. The packets would come in, the Sophos just wouldn't know what to do with them?

On peer (Sophos 2) there's a VPN -> LAN allow all rule

Can you show us the NAT Rule? 
And the Packet capture shows you, it is perfectly working from this firewall rule. 

Without SNAT:

With SNAT:

I agree this side of the firewall looks fine (without the SNAT in place). Packet capture shows everything flowing correctly. Butthe Sophos on the other end never sees it. And other than a VLAN->LAN rule on the other end, not sure what else would be needed. The traffic should at least be showing in a packet capture at the other end.

Without SNAT:

With SNAT:

I agree this side of the firewall looks fine (without the SNAT in place). Packet capture shows everything flowing correctly. Butthe Sophos on the other end never sees it. And other than a VLAN->LAN rule on the other end, not sure what else would be needed. The traffic should at least be showing in a packet capture at the other end.

You need to create a SNAT object, not using MASQ. 

See my text: 

Perfect. That has indeed solved the issue, thanks. Just used a server on Site 1 for the SNAT.

I'm confused though. It's a MASQ an SNAT that just presents the IP address of the firewall interface? Why wouldn't that work?

You have a Ipsec Policy based tunnel. There is no interface to MASQ.