First of all, could it be that those two clients are using L2TP or PPTP, both connect to the same VPN server, and you NAT both of them to the same public IP address? If so, it cannot work due to the NAT, as in both cases, the server to which they connect is unable to distinguish the connections from one another. The thing is that
- GRE used by PPTP has no notion of ports so the only differentiator of one connection from the other are the IP addresses, and since both the the IP of the server and public IP you assign the clients' connections are identical for both connections, not only that the server cannot distinguish the two GRE connections from one another, but also the NAT handling on your machine cannot allow more than one such GRE tunnel through as it would be unable to forward the packets from the server to the client for the same reason.
- L2TP/IPsec uses UDP so your NAT serves each connection with a different port at your public IP, but if both clients are the Microsoft Windows' embedded ones, both use the same port at their side in the L2TP payload encrypted inside the IPsec transport packet, and L2TP uses transport, rather than tunnel, mode of encapsulation, so the original IP headers of the payload packets are not transported. So although the transport packets arrive to the server from different ports on your public IP, after unpacking, they still bear your public IP as source but the original client-side port which is the same for both.
So for both cases, there is no other solution at your level but to use several public IPs to serve these types of VPN (one per each client of any given server). To make things worse, even if you do have multiple public IPs available, there is no embedded functionality which would automatically choose a different public address to these connections - if you restrict the
to-ports to a single value and you do have a range in
to-addresses, the second connection is not let through rather than getting another address from the range. So you need a script which tracks this type of connections and modifies the rule.
If you only have a single IP address, the clients have to change the VPN type to some other one supported by Sophos. Bare IPsec in tunnel mode and OpenVPN have no problem with multiple clients behind the same NAT.