SNAT over ipsec not working XGS2100

I am referring this post with similar issue

 DNS request to DNS over Site2Site VPN 

I have below setup

XG310 -- branch office 

XG430 -HA -- Head office

Now I got

XGS2100 - 2nd branch office ( Gateway local ip: )

XGS2100 - 3rd branch office

with XG310 I can reach Head office Active Directory with SNAT, but with XGS2100 I can't reach strange issue, but from Head office I can reach XGS2100

( was implemented based on article : ) 2 years before on XG310, same in XGS2100 not working )

console> show advanced-firewall
Strict Policy : on
FtpBounce Prevention : control
Tcp Conn. Establishment Idle Timeout : 10800
UDP Timeout : 30
UDP Timeout Stream : 60
Fragmented Traffic Policy : allow
Midstream Connection Pickup : off
TCP Seq Checking : on
TCP Window Scaling : on
TCP Appropriate Byte Count : off
TCP Selective Acknowledgements : on
TCP Forward RTO-Recovery[F-RTO] : off
Strict ICMP Tracking : off
ICMP Error Message : allow
Caching for route lookups : on
IPv6 Unknown Extension Header : deny
IPv6 Ready Logo Compliance : off
WAN access control for web admin console : on

Bypass Stateful Firewall
Source Genmask Destination Genmask

NAT policy for system originated traffic
Destination Network Destination Netmask Interface SNAT IP

### from branch office 2nd

Sophos Firmware Version: SFOS 20.0.0 GA-Build222
Model: XGS2100
Hostname: removed

console> ping
PING ( 56 data bytes
ping: sendto: Operation not permitted

console> system ipsec_route show
tunnelname host/network netmask

console> system route_precedence show
Routing Precedence:
1. SD-WAN policy routes
2. VPN routes
3. Static routes

Added V20 TAG
[edited by: Erick Jan at 2:17 PM (GMT -7) on 25 Mar 2024]
Parents Reply
  • Generally speaking this situation will be resolved in the future. Base licensing will be applied on delivery and not on subscription start date, which do not open this kind of problem. 

    About the second question, both perform on a high level the same but Route based VPN generally speaking is better to setup and maintaine on the long run.