FritzBox LAN 2 LAN VPN with StrongSwan
There are a lot of instructions available on how to connect your FritzBox to a server via VPN. But since it took me a long time to find a working tutorial myself, here again a post describing how to set up a FritzBox LAN 2 LAN VPN with StrongSwan (based on the site https://seffner-schlesier.de/news/ipsec-zwischen-avm-fritzbox-und-strongswan/).
Prerequisites
- Register your FritzBox with a DynDNS service (e.g. https://myfritz.net) and find your FritzBox domain name (e.g. myfb.myfritz.net)
- Find your FritzBox’ private subnet, typically 192.168.178.0/24
- Find (or define) the subnet on the remote site, e.g. 192.168.42.0/24
- Find the hostname of the remote site, e.g. remote.example.com
- Define a secret secret, e.g. S3cret123! (no, please do not use that, that’s my secret secret!)
Configure your FritzBox
You can configure FritzBox VPN connections via the web interface, but some parameters seem to be set there, which are not easily accepted on the remote side. Therefore you have to create the following configuration file locally and import it into your FritzBox (replace the example values):
vpncfg {
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = "remote.example.com";
boxuser_id = 0;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.example.com";
keepalive_ip = 0.0.0.0;
localid {
fqdn = "myfb.myfritz.net";
}
remoteid {
fqdn = "remote.example.com";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "S3cret123!";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.42.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.42.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Configure StrongSwan
/etc/ipsec.conf:
config setup
conn %default
left=remote.example.com
leftsubnet=192.168.42.0/24
authby=secret
auto=start
conn fb
ike=aes256-sha-modp1024
esp=aes256-sha1-modp1024
right=myfb.myfritz.net
rightid=@myfb.myfritz.net
rightsubnet=192.168.178.0/24
ikelifetime=3600s
keylife=3600s
/etc/ipsec.secrets:
@remote.example.com @myfb.myfritz.net : PSK "S3cret123!"
Software/Hardware versions
I have successfully connected a FritzBox 7430 as well as a FritzBox 7590 with FritzOS 7.01.
On the server side Ubuntu 18.04 is running with StrongSwan 5.6.2.
I hope you will also successfully set up your FritzBox LAN 2 LAN VPN with StrongSwan! Good luck!
2 COMMENTS
Hi,
thank you for this very useful tutorial.
It took me a while to find out that with the current LibreSwan (probably also StrongSwan) ikev2 is the standard now, so in the ipsec.conf this needs to be forbidden by
ikev2=no
This was also required by my Fritzbox 7530
compress=yes
Now, the VPN connects but I cannot ping any IP address in the remote net. Do you have any ideas?
How do I configure the access list that all traffic from one specific client (or one LAN port) is routed through the VPN?
Andreas
Hi and thank you for reporting your findings! Actually, I don’t have any idea. Currently, I’m using a pfSense Appliance for the remote part (see https://mlohr.com/fritzbox-lan-2-lan-vpn-with-pfsense/), not manually configured StrongSwan/LibreSwan anymore. Maybe you can extract useful information there to get it running. I would be glad to hear about your findings again!
Best regards
Matthias