Site to Site IP sec between 2 XG

Khaled,

can you share your VPN S2S config? Uload some screenshot and log lines? Thanks

Main Branch Conf:

Branch config :

log for main: 

log for branch :

Khaled,

as you can see from the KB, you must specify local subnet (not any) and remote network on both appliances. So on the main site specify local subnet and remote subnet (the other site) and remote site specify local subnet and remote subnet (main site local subnet).

Try with this config and retry.

Thank you, it's active and connections is green , but still both side can't ping or access other network ? , even ping from sophos it self

sorry i'm new in sophos ,

and one more questions please, who i can see the log of each traffic ,  for example:if i'm try to access network and there is policy deny me for that, who i can see this log ? 

Thank you , done it was policy issue 

Ha, I was doing this last night to test an issue and I fell foul of the footnote: "You have to have a LAN to VPN and VPN to LAN policy to allow traffic".

Interestingly I found that when the IPSEC tunnel was up the XGs could not ping the remote devices and it dumps it's own initiated traffic down the default gateway path and does not seem to apply IPSEC routing to itself, only to the network traffic defined in the Local Subnet.

Give it a go, open the console and go to advanced shell (Option 5 then Option 3) and ping something on the remote side then do a traceroute to something on the remote side. Unless I'm misconfigured on two separate units, the pings should fail and the traceroute should go out your internet connection. Then compare to a device behind the XG you just tested and perform the same test.

What should happen is the device gets through and the traceroute correctly reflects the jump over the IPSEC tunnel but the XG fails pings and the traceroute goes out to the internet.

Very Odd!

Emile