Sending Remote access traffic through Site-to-site VPN, with 1:n nat translation on XGS

Hello Sophos community,

I am trying to set up a szenario where I have to send IPsec Remote access traffic through a Site-to-Site IPsec VPN with 1:n NAT translation on a XGS Firewall.

It seems to work on UTM:   Sending Remote access traffic through Site-to-site VPN, with 1:1 nat translation 

It did work on Cisco ASA, that I retired and that I have replaced with the XGS.


Remote User -(IPsec Remote Access VPN)-> Sophos XGS  -(IPSEC Site-to-site VPN)-> Partner servers

We have a requirement for remote users (Sophos Connect Client) to access partners servers. Our IPsec Remote Access VPN is on a VPN subnet (, internal LAN is

Our partner has the requirement that traffic is sent from the IP (1:n NAT) to his networks.

The site-to-site VPN (Tunnel: To_Partner) is established and working, showing up at both ends. Local network on my end is set to be - no NAT in Site-to-Site VPN active.

I have set up "system ipsec_route add net tunnelname To_Partner"

Found this command mentioned here:

I have created a NAT rule (Name: NAT-Partner) to change traffic from internal LAN as well as RA VPN LAN , going to partner network, to map the source as

Firewall rules have been set up for both the S2S VPN, and internal LAN as well as RA VPN LAN

I have added the Partner network to the local networks section in the IPsec Remote Access VPN setup. 

Problem: I can ping as well as access partner network servers' ressources from internal LAN

I can ping from RA VPN LAN. I am, however, unable to access partner server's remote ressources. 

When trying to access a partner servers ressources from the RA VPN LAN, the counter on the NAT rule "NAT-Partner" increases. Sophos packet tracers says: Invalid traffic

I tried an "any"-"any" firewall rule. No success so far.

Do I have to put the Cisco ASA5510 back in place? I am a bit lost.


XGS admin

Edited TAGs
[edited by: emmosophos at 6:21 PM (GMT -8) on 6 Feb 2023]
  • Can you show us a network plan with the nats and everything in place (Local / Remote subnet etc).

    BTW: Why are you not using route based VPN? Is this not offered by the peer? Likely you have to ask and they give you the option to move to route based VPN. 


  • Our partner is not willing to change anithing on the IPsec tunnel. This woukd need an RfC with IT security and a lot of other guys involved. The partner is a big company.

    So no. We will have to get it running with the XGS136 that has replaced the ASA5510

    This is what the network looks like

  • Likely such big partners are more interested in using Route based VPN due the fact of advantages in management of such tunnels. 

    So you need to MASQ tyour traffic to this, which is not included in the SA? Correct? This is not possible, strongswan will drop the traffic due the fact, the SPI is not matching (Remote / local subnet = SPI). 

    If the is included in the Tunnel (remote / local subnet) you can use MASQ for this goal. 


  • So I will simply have to add the IP the existing IPsec remote access configuration, right? Will the existing NAT rule do the trick? Or do i need another NAT rule for the IPsec RA tunnel's traffic to rewrite the source using MASQ? Please clarify. Thank you.

  • So you can use a normal NAT Rule to do this SNAT. But the MASQ object has to  be created (MASQ as the translated source does not work - There is no Interface in this sense). So create a NAT Rule, add Translated Source and create the as an IP Host object. Add it to the rule and select the other filter (original source and original destination). 

    In case of your issue, if the same NAT rule works for the one network, but not for the other, it could be likely a application issue. Because check the packet capture. If the packet capture looks the same, it is likely a app issue, not a firewall / vpn issue. 


  • OK, I got that. I do, however, not think that this is an app issue. There is a simple plain HTTPS site to check connectivity. This should work.

    I have now added to the Remote Access VPN -> IPsec -> Permitted network resources (IPv4) and updated my Sophos connect profile. I got assigned from the XGS.

    Still no change. Ping to is possible. HTTPS to not.

    (Please note, that for security reasons I have altered the real partner IPs as well as the NAT-IP to the IPs that I have used the descibe my setup earlier)

  • Looks like the Firewall Rule does not apply. You should revisit the Firewall Rule 11. 


  • No matter, what I try. XGS says traffic is invalid.

    Tried creating an "ANY" "ANY" rule on top. No luck.

    Tired creating a firewall rule that excactly matches to with traffic - no chance.

    With "ANY" - "ANY" in place or the rule that matches - Rule 0 (DROP) is applied now. Why????

    I do not understand XGS's logic. Sorry. I can manage UTM. I can manage ASA. But XGS - I have no clue.

    Any hints? From my point of view, with a "ANY" "ANY" firewall rule it should work, as long as the NAT rule works?

    This is, what it looks like from a host in my internal LAN (

    Please note, that the XGS is natting my original source (

    Now, here, with the same firewall rule #12, that also includes my IPsec RA adress range ( the trafic is neither NATed nor allowed:

    Cature shows my original Source IP. NAT is rule in place. Why?

    It looks to me, like the NAT rule does not apply to traffic, that comes in via IPsec RA.

  • In this screenshot the 4th packet seems fine to me? 

    Its a forwarded connection, but does not get any reply? 


  • Yes, this screenshot is fine. This is from my INTERNAL Lan. There is a filter applied, that's why you only see one side.

    Problem still exists on my client, that is connected via RA IPsec and wants to access server in partner's network. The traffic is NOT NATed.