Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPSec VPN allows traffic to one subnet, but not another.

I am trying to establish a Route based site-to-site IPSec VPN connection between two Sophos XG Firewalls (all fully up to date) - I followed this recipe.

I have two subnets on the 'HeadOffice' Firewall - and and I have set the firewall's port address to be .1 on each subnet. has a single workstation with a static ip. has many devices.   I amended the 'recipe' to include the additional subnet. 

I have a dhcp server on the .23 subnet, and I have tried both with and without a dhcp server for the .22 subnet.

The vpn comes up, and both ends indicate that there connectivity between both the .22 and .23 subnets and the 'BranchOffice'.

My problem is this: 

From a workstation on the 'BranchOffice' setwork, I can reach all of the devices on the 'HeadOffice' the .23 subnet, and I can access all of the portal functions on the Firewall, but I cannot reach the workstation on the .22 subnet.  

The 'BranchOffice' firewall's diagnostics correctly report that it is on xrfrm1, and is behind router

The 'HeadOffice' firewall can ping the workstation, and a traceroute to it from a 'BranchOffice’ workstation gets as far as but cannot get beyond that.

Do I need a seperate VPN for each subnet ?  That does not seem to be indicated from the documentation, and at the moment, I just don't understand what is blocking my traffic to one subnet, but not the other.  Is there some obvious thing I am missing ? 



Edited TAGs
[edited by: Erick Jan at 11:59 PM (GMT -7) on 2 Jun 2024]