How to set a Site-to-Site IPsec VPN between Sophos XG and Teltonik

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Configuring Sophos Firewall


- Add local and remote LAN

- Go to Hosts and Services > IP Host and select Add to create the local LAN.

- Go to Hosts and Services > IP Host and select Add to create the remote LAN.

- Create an IPsec VPN connection

- Go to VPN > IPsec policies and select Add to create the policy.

- Dead Peer Detection: Disabled

- Go to VPN > IPsec Connections and select Add to create a new VPN.

- Select IP versión: IPv4

Connection type: Site-to-site

Gateway type: Respond only

- Select your policy:

Authentication type: Preshared key

Enter a pre-shared key

- Listening interface: select your port

Local ID type: DNS

Remote ID type: DNS

Local ID: set your local ID

Remote ID: set the router's ID (on router's interface - My identifier)

- Configuring Router Teltonika RUT2XX


- Creating an IPsec instance

Log in to router’s Web UI, go to Services -> VPN -> IPsec

Enter any name for the instance and hit ‘Add’

Click Edit on the newly created instance.

Enable Checkbox: Enabled

IKE version: IKEv1

Mode: Main

Type: Tunnel

On Startup: Start

My identifier: (ROUTER LAN GATEWAY)

Local IP address/Subnet mask: LAN IP address and prefix (for ex.

Left firewall: Enabled

Force encapsulation1: Enabled

Dead Peer Detection: Disabled

Remote VPN endpoint:

Remote identifier: (REMOTE LAN ADDRESS)

Remote IP address/Subnet mask: (Remote IP Subnet)

Right firewall: Enabled

Passthrough networks: NONE

Enable keepalive: Disabled


Ping period (sec)

Allow WebUI access: Enabled

Custom options: EMPTY

- Phase 1:

Encryption algorithm: 3DES

Authentication: SHA1

DH group: MODP1536

Lifetime (h): 3600 (seconds)

Testing the connection


On the router

Go to Services -> CLI

Username: root

Password: your router's Admin Password

Once logged in, put in ipsec status and hit Enter

You should see a tunnel formed as in the example below

On Sophos

You should see a green status light under VPN - IPsec connections

Cleaned the formatting
[edited by: Yashraj at 11:02 AM (GMT -8) on 12 Nov 2020]