Setting up a working ipsec configuration for the fritz-box seems to be rather painful. I couldn’t make the default wizard variants work since they seem to use aggressive mode with psk and I was getting errors such as:
found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
It took me a while, so here are some working results from me. Hopefully your journey becomes easier then :)
At the time of writing this was verified using FritzOS v7.21 and the box connected via DS-Lite.
Variant 1: LAN2LAN
Prerequisite: an IPv4 reachable server (since the fritz-box is behind the DS-Lite NAT and doesn’t support IPv6 VPNs *sigh*).
Server (server.example.org, 10.8.0.1/24) — (nat) — fritz.box (192.168.178.0/24)
ipsec.conf
config setup
uniqueids=no
conn fritzbox
authby=psk
auto=add
left=server.example.org
leftid=@server.example.org
leftsourceip=10.8.0.1
leftsubnet=10.8.0.0/24
right=%any
rightsubnet=192.168.178.0/24
rightid=%any
ike=aes256-sha-modp1024!
esp=3des-md5!
ikelifetime=3600s
keylife=3600s
ipsec.secrets
server.example.org %any : PSK "chooseareallystrongnonbruteforceablekeyhereplease!"
fritzbox-vpn.cfg (import via web interface)
Note: If you make adjustments, you may need to delete the old config from the fritz-box web interface before reimporting the new one.
vpncfg {
vpncfg_version = 1;
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = "server.example.org LAN2LAN";
boxuser_id = 0;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remote_virtualip = 10.8.0.1;
remotehostname = "server.example.org";
keepalive_ip = 10.8.0.1;
localid {
user_fqdn = "email@whatever.org";
}
remoteid {
fqdn = "server.example.org";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "chooseareallystrongnonbruteforceablekeyhereplease!";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.8.0.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-all/comp-all/no-pfs";
accesslist = "permit ip any 10.8.0.0 255.255.255.0";
app_id = 0;
}
}
Variant 2: Remote roadwarrior
This is a bit of a funny setup: since the fritz-box isn’t IPv4 reachable, the remote endpoint is the server, but it’s configured as a roadwarrior that joins the fritz-box’s home network.
Server (server.example.org, 192.168.178.3/0) — (nat) — fritz.box (192.168.178.0/24)
ipsec.conf
config setup
uniqueids=no
conn avm
authby=psk
auto=add
left=server.example.org
leftid=@server.example.org
leftsourceip=192.178.168.3
#leftsubnet=10.8.0.0/24
right=%any
rightsubnet=192.168.178.0/24
rightid=%any
ike=aes256-sha-modp1024!
esp=3des-md5!
ikelifetime=3600s
keylife=3600s
ipsec.secrets
server.example.org %any : PSK "chooseareallystrongnonbruteforceablekeyhereplease!"
fritzbox-vpn.cfg (import via web interface)
Note: If you make adjustments, you may need to delete the old config from the fritz-box web interface before reimporting the new one.
vpncfg {
vpncfg_version = 1;
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = "server.example.org (roadwarrior)";
boxuser_id = 0;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remote_virtualip = 192.168.178.3;
remotehostname = "server.example.org";
keepalive_ip = 192.168.178.3;
localid {
user_fqdn = "email@whatever.org";
}
remoteid {
fqdn = "server.example.org";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "chooseareallystrongnonbruteforceablekeyhereplease!";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipaddr = 192.168.178.3;
}
phase2ss = "esp-all-all/ah-all/comp-all/no-pfs";
accesslist = "permit ip any 192.168.178.3 255.255.255.255";
app_id = 0;
}
}