Firewall Traffic gets routed in full-tunnel IPsec VPN

Hi Tobias Kuhnert : Thank you for reaching out to Sophos community team. What is the route precedence set over XG as of now? 

The default route precedence in 18.0 is set to static, SD-WAN policy routes, and VPN. Can you please check the below KBA for reference steps and set the route precedence to it's default V18 settings, if it not set.
 
https://support.sophos.com/support/s/article/KB-000037964?language=en_US

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringRoutePrecedence.html

Note: You may test it in odd hours for safer side to avoid any outage or issue.

console> system route_precedence show
Routing Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes

Hi Tobias Kuhnert : Thanks for sharing this output. Please share below command output here.

1) #route -n

2) console> sy ipsec route show

SG230_WP02_SFOS 18.0.4 MR-4# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.0.0 0.0.0.0 255.255.255.0 U 0 0 0 PortE0
10.64.1.0 0.0.0.0 255.255.255.0 U 0 0 0 PortE0.2
10.64.2.0 0.0.0.0 255.255.255.0 U 0 0 0 PortE0.3
10.64.3.0 0.0.0.0 255.255.255.0 U 0 0 0 PortE0.4
10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 PortE3
172.16.64.144 0.0.0.0 255.255.255.248 U 0 0 0 PortE1

console> sy ipsec_route show
tunnelname host/network netmask
... list is empty

Tobias Kuhnert : Thanks for sharing the above requested output. How many active WAN gateway present under "WAN Link Manager" over XG ? Please share snapshot if possible. (Navigation Path : Configure > Network > WAN Link Manager)

Can you please share below output as well? 

#ip route show table multilink 

That will help us to confirm default route is via which interface and gateway on XG currently.

first is of course to have a WAN interface configured

What is the way the packets go when you do the packet capture in GUI Diagnostic and ping google DNS? are they really sent into the tunnel?

we only have 1 wan gateway.

Interface:

SG230_WP02_SFOS 18.0.4 MR-4# ip route show table multilink
default via 172.16.64.145 dev PortE1 proto static

of course we have a wan interace.

yes, they are sent into the tunnel.

Hi Tobias Kuhnert,

Please share the screenshot of the local and remote network configured with the IPsec connection. 

If you added any in the remote network, that doesn't require IPsec system routes to send ICMP traffic from the firewall through the tunnel. 

As LHerzog said, run packet capture from the GUI and share the screenshot with us. 

Thanks,

i can't share any more screenshot with sensitive data. please see text below:

i have configured the following networks in the VPN connection. This is the only VPN connection configured on the device.
remote subnet: any
local subnet: 10.64.0.0/21

no additional/manual routes have been added to the system.

packet capture (10.64.0.1 is the IP of the firewall):

SG230_WP02_SFOS 18.0.4 MR-4# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

as already mentioned route lookup from diagnostics page: