Route to host over IPSec Tunnel not working

Question

We have a new IPSec tunnel established between our XG and a remote Cisco site. It looks like this: 
 
 XG Remote Site 
 172.20.0.0/16 10.1.1.150/32 
 
 The tunnel is up, both inbound and outbound rules were set up: 
 VPN-LAN (172.20.0.0/16) Any / Any 
 LAN-VPN (10.1.1.150/21) Any / Any 
 
 The remote site (10.1.1.150) can ping hosts on our network, but we can't ping the remote (10.1.1.150) end. They have verified that ICMP is allowed on their server. 
 ifconfig for ipsec0 looks like this: 
 ipsec0 Link encap:Ethernet HWaddr 5A:64:6F:66:82:85 
 inet addr:169.254.234.5 Bcast:0.0.0.0 Mask:255.255.255.255 
 inet6 addr: fe80::5864:6fff:fe66:8285/64 Scope:Link 
 UP BROADCAST RUNNING NOARP MULTICAST MTU:16260 Metric:1 
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
 collisions:0 txqueuelen:0 
 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 
 
 If I check the route table for 10.1.1.150 nothing exists. No entries. If I do a route lookup from the GUI it's trying to route 10.1.1.150 out through the WAN interface, but I see no way to add a route for a tunnel since it's only hardware and virtual interfaces available in those menus. 
 
 Does anyone have any suggestions?

lferrara · Answer

Sean, 
 use tcpdump to understand what IP is used when you ping the remote host. 
 Make sure proper networks are declared inside the local and remote network inside the IPSec tunnel and finally have a look at asymmetric routing issues: 
 https://community.sophos.com/products/xg-firewall/f/network-and-routing/74750/how-can-i-allow-asymmetrical-routes 
 Regards

MayurMakvana · Answer

Hello, 
 Greetings. 
 Login to the CLI of the device and go to option number 4 and check the routing table with the below command: 
 console> system diagnostics utilities netconf route list 
 Kindly login to the WebUI and go to Monitor & Analyze -> Diagnostics -> Packet capture. Click on Configure and Enter BPF String as host 192.168.1.1 (Here, 192.168.1.1 is remote end network PC or interface IP). Start the packet capture and run the ping from any of Local PC to 192.168.1.1 and capture the packet on UTM. Please paste the snap shot here in reply. 
 If you do not see the route of the remote network through the IPSec. Kindly try adding the manual route in UTM device with the help of below command: 
 system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname TEST (Here, 192.168.1.0/24 is remote end network and TEST is the tunnel name). 
 Then try pinging the remote network from local LAN PC and share the output of packet capture. 
 
 -Mayur Makvana

MayurMakvana · Answer

Hi Sean, 
 You need to apply the SYS NAT policy using below command, Kindly login to the CLI and go to option number 4 and execute the below command: 
 
 set advanced-firewall sys-traffic-nat add destination 192.168.1.0 netmask 255.255.255.0 snatip 172.16.16.1 (here, 192.168.1.0 is remote end network and 172.16.16.1 is the interface IP which is local network added to the IPSec tunnel). 
 
 Note: You need to re-establish the tunnel after executing the above command. 
 
 -Mayur Makvana