XG - 2 VPN connections and 2 local LAN

You can alter the VPN connections, include all the subnets and this will give you access to all networks. This means you have alter the tunnels on the other peers as well. 

Or you could work with NAT in the IPsec Tunnel. Create a SNAT rule on webadmin from Local network to the remote subnet and MASQ with a IP within your local Network. Then create a VPN Route via CLI: console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>

Or move to route based VPN instead of policy based VPN, if the peer supports this technology. 

Hello Lucar Toni, thank you for your quick reply. The thing is that I can't get to the other VPN gateways.

So I would have to realise it via NAT. Can you tell me more details about the NAT rule?
What exactly does it have to look like? There are many possible settings:

Then on the CLI:
system ipsec_route add host 192.168.0.100

tunnelname VPN AtoB

can it work like this! :-)

Thank you very much

Cheers Flo

No. You simply need to create a IP Host within the network range of your local network. Then you use this object in your SNAT rule as a translated source host. 

Then you add the desired IPsec route to the tunnel via CLI. 

Ok, must the SNAT rule be linked to the/a firewall rule?

No, but you need a firewall rule to allow the traffic of course. 

hmmm it doesn't work, the IPSec route is entered. the firewall rules are active, I can access the remote network of the tunnel. I can't get into the remote network of the other tunnel. You have seen that I have two local networks? 

You have to do two different NAT Rules and two different IPSec routes in CLI.

First rule: 192.168.2.0/24 SNAT to 192.168.1.1/32 

Second Rule 192.168.1.0/24 SNAT to 192.168.2.1/32 

Then enter both rules: 

172.31.0.0/24 to tunnel 1.

192.168.120.0/24 to tunnel 2. 

VPN connection 1:
Local Subnet: 192.168.1.0/24 
Remote Subnet: 172.31.0.0/24

VPN connection 2:
Local Subnet: 192.168.2.0/24 
Remote Subnet: 192.168.120.0/24

A lot of time, but It works!  :-)

Great support, many thanks and best regards to LuCar Toni!!!

It goes on, now I have a Sophos with v17.5, unfortunately the SNAT doesn't work as in v18, how does that have to be set up on v17.5?

Thank you very much ...

This is only supported in V18.0 + 

Okay, and v17.5 can't do that at all? Or does it just need to be configured differently? :)

In v17.5, you need to configure a firewall rule with the required source/destination networks and apply masquerading policy as shown below.

In v17.5, you need to configure a firewall rule with the required source/destination networks and apply masquerading policy as shown below.

As far as i know, this does not work for V17.5 within a IPsec tunnel, could be wrong. I do not have to work with V17.5 installations anymore. Highly recommend to upgrade your old installations.