Richtlinie:

IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime 3600s / PFS MODP_1024 / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime 3600s / COMPRESSED

Bei Problemen kann man das entfernte Gateway auf nur antworten setzen, hilft bisweilen.

Konfig Fritz Box:

vpncfg {
    connections {
        enabled = yes;
        conn_type = conntype_lan;
        name = "Sophos UTM";
        always_renew = yes;
        reject_not_encrypted = no;
        dont_filter_netbios = yes;
        localip = 0.0.0.0;
        local_virtualip = 0.0.0.0;
        remoteip = 0.0.0.0;                
        remote_virtualip = 0.0.0.0;
        remotehostname = "HOSTNAMESOPHOSUTM"; 
        localid {
            fqdn = HOSTNAMEFRITZBOX;
        }
        remoteid {
            fqdn = HOSTNAMESOPHOSUTM;
        }
        mode = phase1_mode_idp;
        phase1ss = "all/all/all";
        keytype = connkeytype_pre_shared;
        key = "PRESHAREDKEY";  
        cert_do_server_auth = no;
        use_nat_t = no;
        use_xauth = no;
        use_cfgmode = no;
        phase2localid {
            ipnet {
                ipaddr = NETZWERKFRITZBOX;
                mask = 255.255.255.0;
            }
        }
        phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
        accesslist = "permit ip any NETZWERKSOPHOS 255.255.255.0";
    }
    ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
    "udp 0.0.0.0:4500 0.0.0.0:4500";
}