Ipsec Tunnel : no created route

Question

i setup a ipsec tunnel between Sophos XG <-> Fortigate. 
 
 Tunnel is ok . 
 
 If i ping from Fortigate to sophos network i get a reply , when i ping from sophos side to Fortigate i don't get reply 
 When i do system ipsec_route show : i don't see any route. 
 
 So why don't create sophos a ?? How can we do this ?

Vishal_R · Answer

Hi helmut willems

The Option which you are referring "system ipsec_route show" is to represent the IPsec route added manually by administrator.

When ever you will establish the tunnel route will be added automatically on XG and you do not required to add it manually.

You will be able to see the log line similar to below in XG's strognswan.log
=====================================

2019-11-12 14:55:20 24[ENC] <ISP_2-1|42> parsed QUICK_MODE response 1729935629 [ HASH SA No ID ID ]
2019-11-12 14:55:20 24[IKE] <ISP_2-1|42> CHILD_SA ISP_2-2{65} established with SPIs c8e4cb45_i c098c751_o and TS 10.0.73.0/24 === 192.168.10.0/24

For PING part :

Please ensure required rule LAN to VPN and VPN to LAN ( For VPN to LAN if needed apply MASQ) with route through gateway none is configured on XG.

Please also ensure that you are pinging from machine which is part of your IPSec tunnel's local LAN. Please do not PING from XG - as PING from XG will not work to remote LAN of IPSec. ( To make PING reachable from XG CLI additional configuration of manual IPSec route and SNAT will be required).