FritzBox LAN 2 LAN VPN with StrongSwan

There are a lot of instructions available on how to connect your FritzBox to a server via VPN. But since it took me a long time to find a working tutorial myself, here again a post describing how to set up a FritzBox LAN 2 LAN VPN with StrongSwan (based on the site


  • Register your FritzBox with a DynDNS service (e.g. and find your FritzBox domain name (e.g.
  • Find your FritzBox’ private subnet, typically
  • Find (or define) the subnet on the remote site, e.g.
  • Find the hostname of the remote site, e.g.
  • Define a secret secret, e.g. S3cret123! (no, please do not use that, that’s my secret secret!)

Configure your FritzBox

You can configure FritzBox VPN connections via the web interface, but some parameters seem to be set there, which are not easily accepted on the remote side. Therefore you have to create the following configuration file locally and import it into your FritzBox (replace the example values):

vpncfg {
  connections {
    enabled = yes;
    editable = no;
    conn_type = conntype_lan;
    name = "";
    boxuser_id = 0;
    always_renew = yes;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;
    localip =;
    local_virtualip =;
    remoteip =;
    remote_virtualip =;
    remotehostname = "";
    keepalive_ip =;
    localid {
      fqdn = "";
    remoteid {
      fqdn = "";
    mode = phase1_mode_idp;
    phase1ss = "all/all/all";
    keytype = connkeytype_pre_shared;
    key = "S3cret123!";
    cert_do_server_auth = no;
    use_nat_t = yes;
    use_xauth = no;
    use_cfgmode = no;
    phase2localid {
      ipnet {
        ipaddr =;
        mask =;
    phase2remoteid {
      ipnet {
        ipaddr =;
        mask =;
    phase2ss = "esp-all-all/ah-none/comp-all/pfs";
    accesslist = "permit ip any";
  ike_forward_rules = "udp", 

Configure StrongSwan


config setup
conn %default

conn fb

/etc/ipsec.secrets: : PSK "S3cret123!"

Software/Hardware versions

I have successfully connected a FritzBox 7430 as well as a FritzBox 7590 with FritzOS 7.01.

On the server side Ubuntu 18.04 is running with StrongSwan 5.6.2.

I hope you will also successfully set up your FritzBox LAN 2 LAN VPN with StrongSwan! Good luck!

2 thoughts to “FritzBox LAN 2 LAN VPN with StrongSwan”

  1. Hi,
    thank you for this very useful tutorial.
    It took me a while to find out that with the current LibreSwan (probably also StrongSwan) ikev2 is the standard now, so in the ipsec.conf this needs to be forbidden by

    This was also required by my Fritzbox 7530

    Now, the VPN connects but I cannot ping any IP address in the remote net. Do you have any ideas?
    How do I configure the access list that all traffic from one specific client (or one LAN port) is routed through the VPN?

Leave a Reply

Your email address will not be published. Required fields are marked *