The iPhone supports IKEv2, IPsec, and L2TP Client VPN.

Sophos UTM supports SSL, PPTP, L2TP over IPsec, IPsec, and more VPN protocols. For this guide, we are going to use iPhone’s L2TP VPN Client to remotely connect to our Sophos UTM.

To start, log in to your Sophos UTM and select the “Remote Access” section

  • Click L2TP over IPsec for compatibility with iOS



Enable the protocol by toggling the switch to “enabled”



Choose Authentication Mode: Preshared key


  • Create a secure key and repeat it 2x below


Assign IP address by “IP address pool”


Pool Network: Choose your LAN subnet or internal network. You may also choose a VPN pool, but I decided to stay on the same subnet while I remote in.


Authentication via “Local” (accounts stored on the Sophos UTM)


In users and groups, you should create accounts for those who will be using the VPN and then add them here. You can also enable the user portal so they can download their connection profile directly to their iOS.

Shown above, admin is the account for the Sophos UTM which I will also authenticate to the VPN with.
It is best practice not to use this account, and to create other accounts for VPN remote access.


Save your changes, open the Live Log, and move on over to your iPhone for configuration.

NOTE: If you have the User Portal enabled, you can log in and download the connection settings for your VPN profile and skip all the steps below. I feel that it also integrates with iOS very well.

Refer to the images below:

Open Settings

  • Choose General
  • Scroll down and select “VPN”
  • Add a new configuration
  • Change Type to L2TP
  • Input the required info:
    • Description: Sophos
    • Server: Your UTM IP address or public domain name.
    • Account: The local account (on the sophos) you wish to use to log in to VPN
    • Password: The password for authenticating with the above account on Sophos UTM
    • Secret: The Preshared Key we entered 2x on the Sophos.
    • Send all traffic: Toggle or turn off.
      • Depends if you want remote access only or to browse securely and privately.

Troubleshooting: Remember to check your Live Log! It will tell you verbosely when there is an obvious problem such as the pre-shared secret mismatch. Below is a successful negotiation. chrome_2016-12-08_10-02-00



Leave a Reply