VPN to VPN rules

Question

Hi all, 
 Given the state of the world, I'm trying to make some firewall changes to our setup, and I'm hoping someone can give me a bit of a steer. 
 We have a pair of IPSec VPN's running to Azure (which works fine) 
 We have a Remote SSL VPN for staff to dial into the office (which works fine) 
 What I'm trying to get working is an interlink between the two VPN configs so that staff can dial in from home, and then get to our Azure. 
 
 I've added the remote subnet to the IPsec ranges, and I'd thought it might be as simple as making a VPN<>VPN rule like so: 
 
 No dice though. If anyone could provide some insight as to how to diagnose where my config is failing me?

FormerMember · Answer

Hi Project2501, 
 There are two options to accomplish your requirement. 
 Option 1: If you are willing to update existing IPsec connection between XG to Azure follow this option. 
 Sophos XG Firewall: How to configure access for SSL VPN remote users over an IPsec VPN 
 In IPsec connection add SSL Remote VPN network to Local Network on XG and on Azure in Remote Network. It also requires VPN to VPN rule. 
 Option 2 : It does not require any changes in existing IPsec connection. 
 However, you have to add routes through CLI and a firewall rule VPN to VPN with Masquerading. 
 Sophos XG Firewall: How to allow Remote Access SSL VPN traffic over existing IPsec tunnel without modifying the IPsec tunnel 
 Thanks,

Project2501 · Answer

Turns out my rules were in fact fine. The issue lay with how SFOS 17.5 works with Azure VPN's. The subnets don't work until there is some communication from the remote (Azure) end. 
 Running a ping from the remote end always fails the first (and usually) second time - but third time round it will get to the destination. 
 I'm told that SFOS 18 and the upcoming 18.1 resolve this problem. 
 In the meantime I've got a scheduled task running a ping job every 15 minutes to both subnets (the local on-prem and the local remote SSL) and it's working fine.