published on in Tech Tips & Tricks

Fritz-Box VPN with strongswan and DS-Lite

Setting up a working ipsec configuration for the fritz-box seems to be rather painful. I couldn’t make the default wizard variants work since they seem to use aggressive mode with psk and I was getting errors such as:

found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode

It took me a while, so here are some working results from me. Hopefully your journey becomes easier then :)

At the time of writing this was verified using FritzOS v7.21 and the box connected via DS-Lite.

Variant 1: LAN2LAN

Prerequisite: an IPv4 reachable server (since the fritz-box is behind the DS-Lite NAT and doesn’t support IPv6 VPNs *sigh*).

Server (server.example.org, 10.8.0.1/24) — (nat) — fritz.box (192.168.178.0/24)

ipsec.conf

config setup
	uniqueids=no

conn fritzbox
    authby=psk 
    auto=add 
    left=server.example.org
    leftid=@server.example.org   
    leftsourceip=10.8.0.1
    leftsubnet=10.8.0.0/24
    right=%any 
    rightsubnet=192.168.178.0/24
    rightid=%any
    ike=aes256-sha-modp1024!
    esp=3des-md5!
    ikelifetime=3600s
    keylife=3600s

ipsec.secrets

server.example.org %any : PSK "chooseareallystrongnonbruteforceablekeyhereplease!"

fritzbox-vpn.cfg (import via web interface)

Note: If you make adjustments, you may need to delete the old config from the fritz-box web interface before reimporting the new one.

vpncfg {
        vpncfg_version = 1;
        connections {
                enabled = yes;
                editable = no;
                conn_type = conntype_lan;
                name = "server.example.org LAN2LAN";
                boxuser_id = 0;
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remote_virtualip = 10.8.0.1;
                remotehostname = "server.example.org";
                keepalive_ip = 10.8.0.1;
                localid {
                        user_fqdn = "email@whatever.org";
                }
                remoteid {
                        fqdn = "server.example.org";
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "chooseareallystrongnonbruteforceablekeyhereplease!";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.178.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.8.0.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-all/comp-all/no-pfs";
                accesslist = "permit ip any 10.8.0.0 255.255.255.0";
                app_id = 0;
        }
}

Variant 2: Remote roadwarrior

This is a bit of a funny setup: since the fritz-box isn’t IPv4 reachable, the remote endpoint is the server, but it’s configured as a roadwarrior that joins the fritz-box’s home network.

Server (server.example.org, 192.168.178.3/0) — (nat) — fritz.box (192.168.178.0/24)

ipsec.conf

config setup
	uniqueids=no

conn avm 
    authby=psk 
    auto=add 
    left=server.example.org
    leftid=@server.example.org   
    leftsourceip=192.178.168.3
    #leftsubnet=10.8.0.0/24
    right=%any 
    rightsubnet=192.168.178.0/24
    rightid=%any
    ike=aes256-sha-modp1024!
    esp=3des-md5!
    ikelifetime=3600s
    keylife=3600s

ipsec.secrets

server.example.org %any : PSK "chooseareallystrongnonbruteforceablekeyhereplease!"

fritzbox-vpn.cfg (import via web interface)

Note: If you make adjustments, you may need to delete the old config from the fritz-box web interface before reimporting the new one.

vpncfg {
        vpncfg_version = 1;
        connections {
                enabled = yes;
                editable = no;
                conn_type = conntype_lan;
                name = "server.example.org (roadwarrior)";
                boxuser_id = 0;
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remote_virtualip = 192.168.178.3;
                remotehostname = "server.example.org";
                keepalive_ip = 192.168.178.3;
                localid {
                        user_fqdn = "email@whatever.org";
                }
                remoteid {
                        fqdn = "server.example.org";
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "chooseareallystrongnonbruteforceablekeyhereplease!";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.178.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipaddr = 192.168.178.3;
                }
                phase2ss = "esp-all-all/ah-all/comp-all/no-pfs";
                accesslist = "permit ip any 192.168.178.3 255.255.255.255";
                app_id = 0;
        }
}