Sophos Connect Client Authentication failes with certificate

Hi all!

I would like to setup a Client-VPN connection using Sophos Connect Client. Authentication should be digital certificate.

After username & PW Sophos Connect Client says Failed to establish CHILD_SA. Here's the Log:

sophos-log1.txt
2019-03-27 09:54:41AM 16[CFG] added vici connection: VPNClientTEST
2019-03-27 09:54:41AM 11[CFG] loaded certificate 'C=DE, ST=Bayern, L=XXX, O=XXX, OU=XXX, CN=vpn.XXX.de'
2019-03-27 09:54:41AM 07[CFG] loaded RSA private key
2019-03-27 09:54:41AM 13[CFG] loaded EAP shared key with id 'VPNClientTEST-xauth-id' for: 'testp'
2019-03-27 09:54:42AM 15[CFG] vici initiate 'VPNClientTEST-1'
2019-03-27 09:54:42AM 14[IKE] <VPNClientTEST|9> initiating Main Mode IKE_SA VPNClientTEST[9] to 194.39.183.50
2019-03-27 09:54:42AM 14[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 14[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57468] to 194.39.183.50[500] (204 bytes)
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> received packet: from 194.39.183.50[500] to 192.168.43.69[57468] (180 bytes)
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received XAuth vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received DPD vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received Cisco Unity vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received FRAGMENTATION vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received NAT-T (RFC 3947) vendor ID
2019-03-27 09:54:42AM 12[CFG] <VPNClientTEST|9> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57468] to XXX[500] (204 bytes)
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> received packet: from XXX[500] to 192.168.43.69[57468] (204 bytes)
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> local host is behind NAT, sending keep alives
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, O=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, XXX, OU=OU, CN=Sophos_CA_XXX, E=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> authentication of 'vpn.XXX.de' (myself) successful
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ ID SIG CERTREQ CERTREQ N(INITIAL_CONTACT) ]
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57469] to XXX[4500] (700 bytes)
2019-03-27 09:54:42AM 11[NET] <VPNClientTEST|9> received packet: from XXX[4500] to 192.168.43.69[57469] (108 bytes)
2019-03-27 09:54:42AM 11[ENC] <VPNClientTEST|9> parsed INFORMATIONAL_V1 request 2569106983 [ HASH N(AUTH_FAILED) ]
2019-03-27 09:54:42AM 11[IKE] <VPNClientTEST|9> received AUTHENTICATION_FAILED error notify
2019-03-27 09:54:43AM 07[CFG] unloaded private key with id 076355e74d5920bd7d8e44759fe1299860180500
2019-03-27 09:54:43AM 13[CFG] unloaded shared key with id 'VPNClientTEST-xauth-id'