FritzBox LAN 2 LAN VPN with StrongSwan

FritzBox LAN 2 LAN VPN with StrongSwan

19.01.2019

There are a lot of instructions available on how to connect your FritzBox to a server via VPN. But since it took me a long time to find a working tutorial myself, here again a post describing how to set up a FritzBox LAN 2 LAN VPN with StrongSwan (based on the site https://seffner-schlesier.de/news/ipsec-zwischen-avm-fritzbox-und-strongswan/).

Prerequisites

  • Register your FritzBox with a DynDNS service (e.g. https://myfritz.net) and find your FritzBox domain name (e.g. myfb.myfritz.net)
  • Find your FritzBox’ private subnet, typically 192.168.178.0/24
  • Find (or define) the subnet on the remote site, e.g. 192.168.42.0/24
  • Find the hostname of the remote site, e.g remote.example.com
  • Define a secret secret, e.g S3cret123!(no, please do not use that, that’s my secret secret!)

Configure your FritzBox

You can configure FritzBox VPN connections via the web interface, but some parameters seem to be set there, which are not easily accepted on the remote side. Therefore you have to create the following configuration file locally and import it into your FritzBox (replace the example values):

vpncfg {
  connections {
    enabled = yes;
    editable = no;
    conn_type = conntype_lan;
    name = "remote.example.com";
    boxuser_id = 0;
    always_renew = yes;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;
    localip = 0.0.0.0;
    local_virtualip = 0.0.0.0;
    remoteip = 0.0.0.0;
    remote_virtualip = 0.0.0.0;
    remotehostname = "remote.example.com";
    keepalive_ip = 0.0.0.0;
    localid {
      fqdn = "myfb.myfritz.net";
    }
    remoteid {
      fqdn = "remote.example.com";
    }
    mode = phase1_mode_idp;
    phase1ss = "all/all/all";
    keytype = connkeytype_pre_shared;
    key = "S3cret123!";
    cert_do_server_auth = no;
    use_nat_t = yes;
    use_xauth = no;
    use_cfgmode = no;
    phase2localid {
      ipnet {
        ipaddr = 192.168.178.0;
        mask = 255.255.255.0;
      }
    }
    phase2remoteid {
      ipnet {
        ipaddr = 192.168.42.0;
        mask = 255.255.255.0;
      }
    }
    phase2ss = "esp-all-all/ah-none/comp-all/pfs";
    accesslist = "permit ip any 192.168.42.0 255.255.255.0";
  }
  ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
  "udp 0.0.0.0:4500 0.0.0.0:4500";
}

Configure StrongSwan

/etc/ipsec.conf:

config setup
conn %default
 left=remote.example.com
 leftsubnet=192.168.42.0/24
 authby=secret
 auto=start

conn fb
 ike=aes256-sha-modp1024
 esp=aes256-sha1-modp1024
 right=myfb.myfritz.net
 rightid=@myfb.myfritz.net
 rightsubnet=192.168.178.0/24
 ikelifetime=3600s
 keylife=3600s

/etc/ipsec.secrets:

@remote.example.com @myfb.myfritz.net : PSK "S3cret123!"

Software/Hardware versions

I have successfully connected a FritzBox 7430 as well as a FritzBox 7590 with FritzOS 7.01.

On the server side Ubuntu 18.04 is running with StrongSwan 5.6.2.

I hope you will also successfully set up your FritzBox LAN 2 LAN VPN with StrongSwan! Good luck!