IPSEC site-to-site VPN connects but no traffic passes

Brad,

there is even a "how to video" on how to establish a S2S connection between 2 XG:

https://community.sophos.com/products/xg-firewall/p/site2siteipsecvpnpresharedkeys

Regards

Thanks!

Still no traffic.

Hey,

I had the same issue when i upgrade existing cyberoam devices to Sophos-OS. You have to add the ipsec routes manually using the console. 

https://kb.cyberoam.com/default.asp?id=2311&SID=&Lang=1&hglt=route+ipsec

on that link scroll all the way down and it shows how to add the routes using the console. But instead of cyberoam type system. 

Also there are a few topics on this forums that show how to do it. If you search adding ipsec routes you might find more info. 

We shared a connection and I had a look at Brad configuration. Here the steps:

1. Check the routing table using command route -n from advanced shell
2. If the remote network is not there you have to proceed with step 3 (192.168.105.0   0.0.0.0         255.255.255.0   U     0      0        0 ipsec0)
3. go to console and check if the ipsec_route is there: system ipsec_route show
4. if the point 3 does not contain the remote network, then add the route manually: system ipsec_route add net 192.168.12.0/255.255.255.0 tunnelname "tunnelname configured from GUI"
5. check if you can ping the remote network from both sides. If ping does not work, you have to force the IP used when the traffic goes out using the command 6.
6. set advanced-firewall sys-traffic-nat add destination 192.168.12.0 netmask 255.255.255.0 snatip "XG LAN IP of where you are launching the commands"
7. Repeate the same steps, if necessary, on the other sides by adjusting the IP and SNAT IP
8. Ping should work now! Make sure ping is enabled on VPN zone from Administration > Device Access

We shared a connection and I had a look at Brad configuration. Here the steps:

1. Check the routing table using command route -n from advanced shell
2. If the remote network is not there you have to proceed with step 3 (192.168.105.0   0.0.0.0         255.255.255.0   U     0      0        0 ipsec0)
3. go to console and check if the ipsec_route is there: system ipsec_route show
4. if the point 3 does not contain the remote network, then add the route manually: system ipsec_route add net 192.168.12.0/255.255.255.0 tunnelname "tunnelname configured from GUI"
5. check if you can ping the remote network from both sides. If ping does not work, you have to force the IP used when the traffic goes out using the command 6.
6. set advanced-firewall sys-traffic-nat add destination 192.168.12.0 netmask 255.255.255.0 snatip "XG LAN IP of where you are launching the commands"
7. Repeate the same steps, if necessary, on the other sides by adjusting the IP and SNAT IP
8. Ping should work now! Make sure ping is enabled on VPN zone from Administration > Device Access

Thank you for your help today!
Now I can continue upgrading all of our Cyberoams with the new Sophos XG Firewall firmware