Policy Route

Hello Thierry MICHELS ,

Thank you for reaching out to the community, Please refer the following useful docs below:

1.) Sophos Firewall v19: How to Choose The Gateway For A Firewall Rule - Sophos Firewall: How to Choose The Gateway For A Firewall Rule v19

2.) SD-WAN policy routing - https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/index.html

3.) Add an SD-WAN policy route - https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyRouteAdd/index.html

With the help of the below command, you may verify the system-generated traffic SNAT details.

If no output which means no SNAT configured for system-generated traffic.

console> sh advanced-firewall

Below output will help on SNAT for system-generated traffic :

NAT policy for system originated traffic
---------------------
Destination Network Destination Netmask Interface SNAT IP

console>

Sophos XG Firewall: How to NAT Sophos Firewall generated traffic

https://support.sophos.com/support/s/article/KB-000035607?language=en_US

For delete, the command will be the same and in place of add, you may use del in the above KBA if you want to delete any existing system-generated NAT Rule.

Thank you for your answer

I tried to add under Remote Subnet the new VLANs and corrected the Firewall rule, but it doesn't work.

The LAN_arosa connect green and the VLAN_Arosa stay red.

Yup, so please check the logs on the remote site to narrow down the situation !

Just one question:

Should the method I chose work?

If so, I think the problem is on the other side. And they need to check their configuration

Correct, please inform the team check on the remote site !

Better asked question

Could I have 2 different Subnet in the remote subnet section

Of course, but whatever changes you make locally need to be reflected on the remote site !

as said the other side is a Zyxel
And on The Zyxel it is apparently not possible to define 2 subnets in the same site to site configuration

Alright, so this is the limitation of the remote site. Hence you'll have to continue using one subnet.

Hello everybody

We found a solution for this Site to Site Problem

On the other side we have now 2 sidetoside configuration

On the local side the LAN_Crans Subnet

And for the local side as said befoe i have 2 Remote subnet in my site2site configuration

The connection is OK but I can't ping any device on the other side
But no Problem to ping with the firewall diagnostic ping

Can you perform the packet capture for the ping traffic - https://support.sophos.com/support/s/article/KB-000035761?language=en_US

And validate that the traffic over the IPsec is going from correct rule and IPsec0 interface ?

Thank you for your answer

But no packet receive fronm otherside 172.16.60.100

Firewall log:

And no capture with filter on otherside IP 172.16.60.100

Firewall ping

Thank you for your answer

But no packet receive fronm otherside 172.16.60.100

Firewall log:

And no capture with filter on otherside IP 172.16.60.100

Firewall ping

It looks like it is not detecting the traffic rule, can you create a separate firewall rules:
1.) LAN to VPN 
2.) VPN to LAN
The traffic should go out of the IPsec0 interface !
Route Sophos Firewall-initiated traffic through an IPSec VPN tunnel

Thank you for your Answer

As said above it works with 1 tunnel on the Sophos (configured with 2 LAN) and 2 tunnels on the Zyxel.

The only problem is that ICMP does not pass