In this example it is shown how to create an IPsec VPN connection between the AVM Fritz!Box and IPFire.
Setup
In this example, there are the two sites which both have static IP addresses (A.B.C.D and M.N.O.P). Both VPN endpoints are directly connected to the Internet.
The Fritz!Box that is used in this example is a Fritz!Box 7390. Please check out the compatibility list further below.
Site A: Fritz!Box
Log on to the web interface of the Fritz!Box and head to the VPN section. Click the button to add a new VPN connection and import the following file after you substituted your public IP addresses, local networks and the PSK.
After a short time, you will find your new VPN connection in the list.
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "VPN Connection 1";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = A.B.C.D;
remote_virtualip = 0.0.0.0;
localid {
ipaddr = A.B.C.D;
}
remoteid {
ipaddr = M.N.O.P;
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "verysecretkey";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.0.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
accesslist = "permit ip any 192.168.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
For no reason what so ever use the aggressive mode with Fritz!Box or any other VPN client. It is extremely unsecure as it transmit the PSK in clear text.
Site B: IPFire
Head over to the IPsec configuration page on the IPFire web user interface and add a new VPN net-to-net connection. Give it a name and fill in the remote IP address as well as the local subnets and the PSK. For the left and right ID use the public IP addresses as you did in the Fritz!Box configuration file. Use "hold" as Dead Peer Detection action and select "IKEv1".
Advanced settings
On the advanced settings page of the connection, uncheck to use payload compression as this does not work very well with Fritz!Box. Leave the rest as it is.
AES issues with some Fritz!Boxes
Some versions have the issue that they don't work properly when using AES for encryption. Just select 3DES and unselect all versions of AES.
3DES works really fine and is considered as just as secure as AES.
Troubleshooting
- It appears that 192.168.180.0/24 is not usable with the AVM Fritz!Box, because it is already in use for internal purposes.
- At least some models do not properly work with AES. Using 3DES for encryption instead works fine.
Compatibility
| Model | Status | |
|---|---|---|
| AVM Fritz!Box 7390 | WORKS | Can only use 3DES. |
TODO
FIXME This guide needs some screenshots.