Full tunnel site to site IPsec VPN bug

I guess your problem is a) that the remote firewall has no entry for your local firewall since it has no IP address that is part of the tunnel and b) that system-generated traffic is not automatically nated.

If your firewall should be able to route it's own traffic (from diagnostics for example) through the tunnel you will have to create an advanced-firewall rule in console.
set advanced-firewall sys-traffic-nat add destination 8.8.8.8 netmask 255.255.255.255 snatip 192.168.0.1

EXCUSE ME?

I just route 192.168.183.50 traffic through IPsec Tunnel, and it works great.

Why XG route itself traffic through IPsec Tunnel too?

That's not what I need.

XG should route itself outside from WAN but not IPsec Tunnel.

Sorry I misunderstood your issue.
You meant that the route lookup shows the wrong destination

But is that IP reachable from the firewall or not (only a more cosmetic issue or a real problem)?

Sure, XG can reach the Google IP 8.8.8.8  from WAN.

However after the one to any full tunnel IPsec tunnel created, all XG's traffic will route through IPsec Tunnel, and failed to reach 8.8.8.8 anymore.

The IPsec tunnel should route 192.168.183.50's traffic to IPsec only.

But actually XG's own routing will also be carried out through this VPN tunnel.

This bug was mentioned two years ago, but I don’t know which version of firmware can solve it.

https://community.sophos.com/sophos-xg-firewall/f/discussions/127846/firewall-traffic-gets-routed-in-full-tunnel-ipsec-vpn?ReplySortBy=CreatedDate&ReplySortOrder=Ascending

Hi Shunze Lee Thanks for sharing the detailed information, let me try to reproduce the issue in my LAB between XG to XG to confirm the results and I will update you based on my testing. 

Additionally, a similar investigation is ongoing with the GES/Dev team for one such reported instance with ID NC-125618 - which is still under progress. I suggest logging a support case to validate it further on this one with the help of the support team. 

Thank you.

You may reproduce the issue easily.

Hope you doing well.

Hi Shunze Lee Yes I have re-produced this locally between XG to XG and tried checking traffic for 1.1.1.1 which shows out via ipsec.








Have you logged any support tickets for this one? if yes please share it here for reference to check the status of it and to add an internal note over the same to progress it further/to add an instance on existing investigation on going with Dev. 

HI Vishal_R,

Thank for your reply, I have opened a case (ID: 07103722).

Can you tell me which firmware version you are testing?

Shunze

Why not using Route Based VPN? 

Remote side didn't support.