Update 2: Fixed it. It is not so clear that vti interfaces ip addresses have to be routed also. To make it simple: use single /24 subnet for all vti tunnels and add this subnet to "Static routes" at every site

@freddy550
No. Your IPSec configuration has to be aware of the NAT, otherwise it will not connect.

Imagine, the remote site is 192.168.20.0/24 and it is natted to 10.227.56.0/24. So your phase 2 has to use 10.227.56.0/24 as remote network to connect to.

@viragomann
It is policy-based tunnel (Tunnel IPv4).

Phase2 is working (status connected).

Status->SystemLogs->IPSEc has no corresponding entries.

But you said " and the subnet is not routed through the tunnel": This is exactly the problem - how to do this? As there are no thus options in the IPSec tunnel settings ("NAT/BINAT translation" should not be the corresponding option.)

@viragomann We got it sorted out....

on the main the tunnel to the 3rd party on the local network was using 1.0/24 and this needed to be 0.0/16

@nick-loenders
Anyway, if you have sequenced subnets like these you can embrace them in the p2 using an appropriate mask. But with a local LAN of 10.0.1.0/24 you run into risk of overlapping.

So if the LAN here is 10.0.1.0/24 you could only merge tunnel 2 and 3 by stating 10.0.2.0/23 as the remote network.

If you have control over all involved site you should consider this when designing the networks.

@viragomann I thought it would not work because the additional encryption domains, are not local to the Sophos either
But thanks, I will give it a try.