DNS over IPsec client

Which version do you use? Is the IP, you are using, also included in the IPsec site to site connection (SA)? 

I use the newest.

No the ip is Not included, so i Need the nat.

On the old UTM it worked with Masq.

XG Firewall cannot use MASQ on IPsec connections, as there is no interface to MASQ to. You have to select a custom host address. Simply create a IP Host within the IP range of the IPsec connection and use this to translate the Source address to. 

I did it with snat and a IP Host like 192.168.12.254 from the IPSec Site to Site Range 

can you help me to generate the NAT Rule?

Please show your Configs via Screenshots. And please check both ends, if the firewall rules actually allow the traffic to flow.

Hi Michael Fischer,

Thank you for reaching out to Sophos Community.

You can access 192.168.19.0 network by following the below steps.

==> Add IPsec remote access network(10.50.0.1/24) in current IPsec tunnel configuration and add VPN to VPN firewall rule.

Please find the below article as a reference to configure above settings. Consider SSL VPN pool in the article as IPsec remote access pool 10.50.0.1/24

support.sophos.com/.../KB-000038320

or

==> Add SNAT rule for traffic coming from IPsec remote access network(10.50.0.1/24) to 192.168.19.0 network and add an IPsec route for the same 192.168.19.0 network.

Please find the below article as a reference to configure above settings. Consider SSL VPN pool in the article as IPsec remote access pool 10.50.0.1/24

support.sophos.com/.../KB-000037043

Hi Michael Fischer,

Thank you for reaching out to Sophos Community.

You can access 192.168.19.0 network by following the below steps.

==> Add IPsec remote access network(10.50.0.1/24) in current IPsec tunnel configuration and add VPN to VPN firewall rule.

Please find the below article as a reference to configure above settings. Consider SSL VPN pool in the article as IPsec remote access pool 10.50.0.1/24

support.sophos.com/.../KB-000038320

or

==> Add SNAT rule for traffic coming from IPsec remote access network(10.50.0.1/24) to 192.168.19.0 network and add an IPsec route for the same 192.168.19.0 network.

Please find the below article as a reference to configure above settings. Consider SSL VPN pool in the article as IPsec remote access pool 10.50.0.1/24

support.sophos.com/.../KB-000037043

Hello Yash Kothari,

i do not want to add the 10.50.0.0/24 in the IPsec Site to Site tunnel. 

Can you help me with Pictures for the SNAT?

It seems that nat roule doesnt work, see Paket listening.

Hello,

Under Original source, make sure that #IPsec_FL isn’t a #Port object, but a Network.

Regards,

IPSec Pool is a Netzwerk 10.50.0.0/24

Its not. Your object is a #Port Object, which only is the Interface as a IP. 

XG only has the UTM Interface (Address) object. 

Simply use VPN and ANY and it should work. 

Source is 10.50.0.0/24 my IPSEC Pool

an Sophos-Fischerlogistik is 192.168.12.254 ist Port from the local Netzwork 192.168.12.0/24

Here the NAT Rule

with any any it doesnt work either

We are talking about the firewall rule. 

Ok. But the Firewallrule seem to be not the Problem, see the log. 

But i cant get to the 192.168.19.0 Network

With Any like it doesnt work either

Here the firewall Rule

There is a NAT and a Firewall rule. Which one are those rules? 

i edited the posts.

first was nat

second was firewall

If you change the NAT from outbound interface to ANY, does it NAT the traffic? 

The Traffic capture log in webadmin should indicate, if a NAT + Firewall hit or not. Work torwards the results there, if you find the non matching rule there.