SSL VPN user Client does not have access other IPSec Site-to-Site VPN networks

Question

I'm having issues connecting the VPN Client to other networks that reside on a VPN. For example, my XG has a local network of 192.168.10.0/24 and the SSL VPN users get an IP in 172.16.1.10-172.16.1.50. I also have an IPSec Site-to-Site VPN that connects my 192.168.10.0/24 to 10.10.10.0.24. When I'm on my local subnet without the VPN client, i can get to the 10 network without issue and vice versa. 
 
 In the SSL VPN user policy, i have allowed access to the local network and then have even added the remote VPN network. I have even added a VPN-to-VPN firewall rule that includes ANY for source/destination, but still can not get to the 10.10.10.0/24 network. If I'm out and about, and connect to the VPN, I can access everything on my 192.168.10.0/24 without issue, but no traffic to the 10.10.10.0/24. 
 
 Also another issue, the 2 XG devices seem to not be able to ping from the device itself to other network objects on the remote network, but can get to their own without issue. 
 
 I'm not sure what else to do, as in the SonicWALL world, doing the above would have allowed it to work. 
 
 Any help would be greatly appreciated.

BrendanMoore · Answer

Create an IP Host object for the SSL VPN subnet (10.81.234.0 /24 by default) and add it as a network for the Site-to-Site VPN 
 
 Create an IP Host object for the remote network's subnet and add it to the Permitted Network Resources in the SSL VPN configuration.

Kris Grindstaff · Answer

Does the other end of the VPN tunnel have a route back to the SSL VPN subnet? I found this was my issue. Both ends need to be aware of the networks connecting to them so they can route appropriately.

MitchelLaman · Answer

I've been battling the same issue with a new XG and Amazon VPC. 
 We have our local network and a private datacenter at AWS . Our AWS connection is IPSec VPN and only accessible from the local network, so we need our remote users to be able to VPN to the local network and pass through to the AWS VPC. 
 I don't fully understand the solution but the following post from Troy Thompson on SpiceWorks was the fix for us. Specifically, step one where we put 'any' for the local networks instead of the actual local networks. 
 The original link is here , with a copy/paste of the solution below: 
 
 Discovered that the Amazon VPC IPSEC feature creates one--and ONLY one--SA per connection. This means only one subnet gets permitted down the VPN at a time. 
 The fix: 
 
 On the Sophos, Site-to-site VPN IPSec Connections tab, edit the Amazon connection and set Local Networks to contain Any IPv4 instead of the "actual" local networks. 
 On the Amazon VPC panel, VPN Connections tab, edit the VPN connection Static Routes to contain the "actual" subnets on the Sophos side of the connection, including the Sophos SSL VPN subnet blocks, LAN, etc. 
 Verify firewall rules are correct on the Sophos to permit traffic from the Amazon VPC network. 
 Verify Security Groups are correct on the Amazon side to allow traffic to/from the Sophos end. 
 
 Success! 
 
 -mitchel

Arab Dairy · Answer

Yes, thank you, I figured it out right after I posted here, since my remote resources doesn't have the XG as its default gateway, I added a static route for the SSL VPN subnet and it worked :) 
 
 Thank you, 
 Ahmed Hegazy