XG - 2 VPN connections and 2 local LAN

You can alter the VPN connections, include all the subnets and this will give you access to all networks. This means you have alter the tunnels on the other peers as well. 

Or you could work with NAT in the IPsec Tunnel. Create a SNAT rule on webadmin from Local network to the remote subnet and MASQ with a IP within your local Network. Then create a VPN Route via CLI: console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>

Or move to route based VPN instead of policy based VPN, if the peer supports this technology. 

Hello Lucar Toni, thank you for your quick reply. The thing is that I can't get to the other VPN gateways.

So I would have to realise it via NAT. Can you tell me more details about the NAT rule?
What exactly does it have to look like? There are many possible settings:

Then on the CLI:
system ipsec_route add host 192.168.0.100

tunnelname VPN AtoB

can it work like this! :-)

Thank you very much

Cheers Flo

You need to setup a IP, as you do not have a Interface in terms of MASQ. So use a SNAT custom gateway. 

You local Network seems to be wrong. 192.168.1.0? 

Then add the remote subnet. console> system ipsec_route add net 192.168.120.0/255.255.255.0 tunnelname 

You need to setup a IP, as you do not have a Interface in terms of MASQ. So use a SNAT custom gateway. 

You local Network seems to be wrong. 192.168.1.0? 

Then add the remote subnet. console> system ipsec_route add net 192.168.120.0/255.255.255.0 tunnelname 

Thank you Luca Toni, but unfortunately it doesn't work. (Correct the local network was a error)

I am not quite sure how to create a SNAT custom gateway? I did it like this:
I added an alias interface to the WAN port 10.0.1.10, then created an IP host "SNAT_IP" 10.0.1.10/255.255.255.255. I created a NAT rule with the parameters from the screenshot and then entered the route to VPN connection 1 via CLI...

But it does not work the network 192.168.127.0 is not accessible.

No. You simply need to create a IP Host within the network range of your local network. Then you use this object in your SNAT rule as a translated source host. 

Then you add the desired IPsec route to the tunnel via CLI. 

Ok, must the SNAT rule be linked to the/a firewall rule?

No, but you need a firewall rule to allow the traffic of course. 

hmmm it doesn't work, the IPSec route is entered. the firewall rules are active, I can access the remote network of the tunnel. I can't get into the remote network of the other tunnel. You have seen that I have two local networks? 

You have to do two different NAT Rules and two different IPSec routes in CLI.

First rule: 192.168.2.0/24 SNAT to 192.168.1.1/32 

Second Rule 192.168.1.0/24 SNAT to 192.168.2.1/32 

Then enter both rules: 

172.31.0.0/24 to tunnel 1.

192.168.120.0/24 to tunnel 2. 

VPN connection 1:
Local Subnet: 192.168.1.0/24 
Remote Subnet: 172.31.0.0/24

VPN connection 2:
Local Subnet: 192.168.2.0/24 
Remote Subnet: 192.168.120.0/24

A lot of time, but It works!  :-)

Great support, many thanks and best regards to LuCar Toni!!!

It goes on, now I have a Sophos with v17.5, unfortunately the SNAT doesn't work as in v18, how does that have to be set up on v17.5?

Thank you very much ...

This is only supported in V18.0 + 

Okay, and v17.5 can't do that at all? Or does it just need to be configured differently? :)