Issue on site to site VPN

Question

Hello, 
 I have a strange issue on site to site VPN between two Sophos XG firewall. The site to site VPN was built with class C subnets as below. 
 Site A - 192.168.1.0/24 
 Site B - 192.168.8.0/24 
 The sophos XG firewall generated VPN rule on top permit any source interface (192.168.1.0/24 & 192.168.8.0/24) and any destination interface (192.168.1.0/24 & 192.168.8.0/24) for any traffic. 
 
 I found that some hosts are able to connect remote hosts via VPN. 
 For example, 192.168.1.24 and 192.168.1.23 are able to access 192.168.8.2 and 192.168.8.7. 
 
 But other hosts cannot connect remote hosts via VPN. 
 For example, 192.168.1.17 and 192.168.1.25 are unable to access 192.168.8.2 and 192.168.8.7. 
 
 All 192.168.1.24, 192.168.1.23, 192.168.1.17 and 192.168.1.25 are able to access Internet via Sophos XG firewall. 
 
 I tried to change route_precedence to be VPN route running first but no luck. 
 How should I troubleshoot this issue?

Erick Jan · Answer

Hi SteveChung, 
 Thank you for reaching out to Sophos Community. 
 Have you tried to use any how-to videos, documentation, Sophos Assistant, or KBA to try to check the issue? 
 Kindly try to do a packet capture first to compare the working and non-working access, check the logs, If it was passing, if it was being dropped,and so on. 
 Also, kindly see the following KB for reference. 
 
 Sophos Firewall: Traffic is not passing through the VPN tunnel 
 Sophos Firewall: Troubleshooting site to site IPsec VPN issues 
 Troubleshooting site-to-site IPsec VPN