This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!
Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.
In this example it is shown how to create an IPsec VPN connection between the AVM Fritz!Box and IPFire.
In this example, there are the two sites which both have static IP addresses (
M.N.O.P). Both VPN endpoints are directly connected to the Internet.
The Fritz!Box that is used in this example is a Fritz!Box 7390. Please check out the compatibility list further below.
Log on to the web interface of the Fritz!Box and head to the VPN section. Click the button to add a new VPN connection and import the following file after you substituted your public IP addresses, local networks and the PSK.
After a short time, you will find your new VPN connection in the list.
enabled = yes;
conn_type = conntype_lan;
name = "VPN Connection 1";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = A.B.C.D;
remote_virtualip = 0.0.0.0;
ipaddr = A.B.C.D;
ipaddr = M.N.O.P;
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "verysecretkey";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
ipaddr = 192.168.0.0;
mask = 255.255.255.0;
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
accesslist = "permit ip any 192.168.1.0 255.255.255.0";
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
For no reason what so ever use the aggressive mode with Fritz!Box or any other VPN client. It is extremely unsecure as it transmit the PSK in clear text.
Head over to the IPsec configuration page on the IPFire web user interface and add a new VPN net-to-net connection. Give it a name and fill in the remote IP address as well as the local subnets and the PSK. For the left and right ID use the public IP addresses as you did in the Fritz!Box configuration file. Use "hold" as Dead Peer Detection action and select "IKEv1".
On the advanced settings page of the connection, uncheck to use payload compression as this does not work very well with Fritz!Box. Leave the rest as it is.
Some versions have the issue that they don't work properly when using AES for encryption. Just select 3DES and unselect all versions of AES.
3DES works really fine and is considered as just as secure as AES.
|AVM Fritz!Box 7390||WORKS||Can only use 3DES.|
FIXME This guide needs some screenshots.