Site to site VPN (SSL) with default gateway?

Yes, everything is working since a long time. BO can access internet, BO can access resources in HQ, everything is fine.

Ok, so let's switch to IPsec

The first picture shows the working IPsec connection from BO to HQ. BO can access (its own) internet, BO can access resources in HQ. 1.) is the BO public IP from ISP, 2.) public IP from HQ.
If I use another VPN ID the connection will die.

Now I add "Internet IPv4" to "Local networks" in HQ IPsec connection (HQ is "respond only" since it is my VPN "Server" with a fixed public IP)

Now, the IPsec connection is broken, BO cannot access (its own) internet nor access resources on HQ network, anymore.
Any ideas? Is the VPN ID the problem, since it it used twice?

0.0.0.0/0 looks more like "Any" than "Internet IPv4."  How about pictures of the Edits of the IPsec Connection and Remote Gateway for BO and HQ?

Cheers - Bob

"Internet IPv4" is actually configured as "0.0.0.0/0" and is bound to "External (WAN)". This was done by Sophos first installation assistant, I think.
Pictures follow :-)

Branch Office, IPsec Gateway

Branch Office, IPsec Conn

Branch Office, IPsec Local RSA

Branch Office, IPsec Advanced

Headquarter, IPsec Gateway

Headquarter, IPsec Connection

Headquarter, IPsec Local RSA Key

Headquarter, IPsec Advanced

Since you aren't using RSA keys, Alex, those settings should have no effect.

I like to leave 'Preshared Key Settings' in the default mode with the IP empty on both ends.  I usually select 'Enable probing of preshared keys' on the "Respond only" end.

To get all traffic from the branch to go through HQ, Just add "Internet IPv4" to 'Local Networks' in HQ and to 'Remote Networks' in the branch office.

Any better luck?

Cheers - Bob

No, unfortunately not. 

> I like to leave 'Preshared Key Settings' in the default mode with the IP empty on both ends
If I don't put the public IP, the tunnel cannot be established anymore.

Do I maybe miss some masquerading/NAT rules since both UTMs are behind ISP routers (both routers have portforwardings for 500/UDP, 4500/UDP and 1701/UDP to the External(WAN) IF of corresponding UTM? Could this confuse the NAT-T setting? 

And I think about resetting the BO UTM completely, since I have physical access to it, but I have some feelings, that this may not solve the problem. The BO hardware was replaced by a new one and I imported a configuration from the old hardware. BTW: is there a "Best practice"-Guide for setting up a basic UTM device or is the installation wizard just fine?

Best regards, Alex

You're right, Alex, you do need to specify an IP.  I can't see why things don't work then, so your might open a case with Sophos Support.

Cheers - Bob