Site-to-Site - XG "Home Base" with Ubiquity Security Gateway "Remote Sites": Cannot reach remote office subnets

Right-o, so five hours on the line with Sophos Support and we seem to have solved this issue...

There were actually multiple things at play.  Firstly, the Remote sites had not established a tunnel for the 10.1.4 traffic yet; this could be due to nothing out on that end regularly reaching the 10.1.4 network.

The second issue was APPARENTLY XG does NOT like PSKs with any types of symbols in them - exclamation marks were causing problems in the PSK that the client was using on the tunnel, so even when we were trying remote to reach to 10.1.4 at Home Base, we ended up having PSK mismatch issues; the issues were resolved when we redid the PSKs with no symbols in the password (but we increased the length SUBSTANTIALLY to account for the loss in entropy and bitstrength due to not having symbols).

Once the PSK for the tunnels was fixed and the Remote tried to ping into the 10.1.4 traffic and subnet (and the 10.1.121 subnet) the individual tunnels all came online and data properly traversed the tunnel, and we were able to reach there.  However, DPD is going to cause some headaches even though Sophos Support suggested that we leave it online, because it's not regularly done that remotes ping to 10.1.4 to establish the tunnel.

I may look into the Sophos documentation of an 'intermediate' subnet for NATting to NAT and then UnNAT so there's a single tunnel made for any remote and vice versa; that'll be its own headache and we have a few major projects at the client's locations before I can go and redo that with them.

Right-o, so five hours on the line with Sophos Support and we seem to have solved this issue...

There were actually multiple things at play.  Firstly, the Remote sites had not established a tunnel for the 10.1.4 traffic yet; this could be due to nothing out on that end regularly reaching the 10.1.4 network.

The second issue was APPARENTLY XG does NOT like PSKs with any types of symbols in them - exclamation marks were causing problems in the PSK that the client was using on the tunnel, so even when we were trying remote to reach to 10.1.4 at Home Base, we ended up having PSK mismatch issues; the issues were resolved when we redid the PSKs with no symbols in the password (but we increased the length SUBSTANTIALLY to account for the loss in entropy and bitstrength due to not having symbols).

Once the PSK for the tunnels was fixed and the Remote tried to ping into the 10.1.4 traffic and subnet (and the 10.1.121 subnet) the individual tunnels all came online and data properly traversed the tunnel, and we were able to reach there.  However, DPD is going to cause some headaches even though Sophos Support suggested that we leave it online, because it's not regularly done that remotes ping to 10.1.4 to establish the tunnel.

I may look into the Sophos documentation of an 'intermediate' subnet for NATting to NAT and then UnNAT so there's a single tunnel made for any remote and vice versa; that'll be its own headache and we have a few major projects at the client's locations before I can go and redo that with them.