Configuring IPsec site-to-site VPN Sophos UTM



  1. The first, you must define Remote Gateways for site-to-site VPN tunnels. Go on the Site-to-site VPN > IPsec> Remote Gateways tab.
  • Click New Remote Gateway button to create new gateway.

RW ipsec

  • Make the following settings:
    • Name: Descriptive name of remote gateway
    • Gateway type: select the type of gateway mode:
      • Initiate Connection: Select if the remote endpoint has a static IP address so that a connection to the remote gateway can be initiated by the gateway.
      • Respond Only: Select if the IP address of the remote endpoint is unknown or cannot be resolved through DynDNS. The gateway is not able to initiate a connection to the remote gateway but waits for incoming connections to which it only needs to respond.
    • Gateway (if selected initial connection): you must create gateway of site branch office.


    • Authentication type: can select such as
      • Preshared key: Authentication with Preshared Keys (PSK)
      • RSA key: Authentication using RSA keys
      • Local X.509 certificate
      • Remote X.509 certificate
    • VPN ID type: Depending on the authentication type you must select VPN ID type and VPN Identifier. you can select among the following VPN ID types:
      • IP address
      • Hostname
      • Email address
      • Distinguished name: only when you selected local X.509 Certificate authentication.
      • Any: default when you selected Respond only gateway type.
    • Remote Network: add network need to remote of Branch Office site.
  • Make advance setting if necessary
  • Click “Save”

2. To create an IPsec Connection, proceed as follows:

  • On the Site-to-site VPN > IPsec> Connections tab, you click button “New IPsec Connection” to create new connection

Connection IPsec

  • Make the following settings:
    • name: Descriptive name for IPsec connection
    • Remote Gateway: select  remote gateway created above.
    • Local interface: select interface using connect VPN IPsec.
    • Policy: You can define new policy at the Site-to-site VPN > IPsec> Policies tab. Or use default policy such as:


    • Local Network: select network local of Head Quarter site.
    • Click “Save”.

3. When you configure finished you can see status IPsec at the site-to-site VPN




Configuring same as the Head Quarter Office.

  1. Configuring Remote gateway


2.  Configuring IPsec connection

Connection BO

Note: select policy same as policy of Head Quarter Office.

3.  Views status Site-to-site VPN IPsec when configuration finished:

    • Views live-log see proceed connection


    • Before


    • After



Done! I hope this guide can helps everyone. Thanks.


  1. Please help we are using centurylink cloud and they offer site to site vpn which in our other location we are using sophos utm please help me set this up i am lost

  2. At “◾Remote Network: add network need to remote of Branch Office site.” , do I need to add the network of the remote site, or do I need to fill in the network of the local site?

  3. Der Artikel am sich war gut nur eine Frage. Was ist dieses GW-SiteBO? Ich hab das bei mir nicht gefunden und habe keine Ahnung von dem Programm, da einzige Grund warum ich mit Sophos beschäftige wegen eines Schülerpraktikums ist. Schon mal danke im vor raus. LG Finn

    • GW-SiteBO is the IP Public of Branch Office: Gateway (if selected initial connection): you must create gateway of site branch office.
      Click the Green Plus (+) Icon beside the GW-SiteBO,
      => Type: Host
      => IPV4 Address: the public IP of Branch office
      => Save

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.