IPsec NAT: we need the possibility to NAT several local subnets to only one NAT-address and not 1 local subnet to 1 NAT-address. So that the remote peer has to configure only one ip-address as remote subnet.
This is still working with an unsupported workaround. One snat firewall rule translates all our subnets to one ip-address which is part of "Local Subnets" in the affected ipsec connection. To get routes and snat working correctly, we've added an ipsec_route on xg CLI.
basically sophos just need to add host groups to the lockup field - it's not really strait forward development if you can define host groups but can't use them when required.