Hauptinhalt

I spent hours of surfing the web and looking for a working solution to connect my IPFIRE with a FritzBox in another country.

The following solution is working so far, but I still did not get a reliable VoIP connection, so this should be seen at least as a good starting point.

In this example I use two hostnames which have to be different of course (dyndns, no-ip, ...):

IPFIRE: HOSTNAME-A

FritzBox: HOSTNAME-B

Behind the IPFIRE the subnet is 192.168.0.0/255.255.255.0, behind the FritzBox it's 192.168.10.0/255.255.255.0. For a secure connection, a long enough key has to be used. Here it is represented by the string PRESHAREDKEY.

 

Upload this VPN configuration to your FritzBox after modifying it for your own scenario:

/*
 * BLABLABLA COMMENTARY
 * Fri Mar 29 23:18:49 2013
 */

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "HOSTNAME-A";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "HOSTNAME-A";
                localid {
                        fqdn = "HOSTNAME-B";
                }
                remoteid {
                        fqdn = "HOSTNAME-A";
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "PRESHAREDKEY";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.10.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.0.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 192.168.0.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF


This file has to be uploaded to your IPFIRE in /var/ipfire/vpn/ and must be named ipsec.conf (you have to replace an existing one or modify it if you'd like to use more than one IPSEC connection):

version 2

config setup
    charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0"

conn %default
    keyingtries=%forever

include /etc/ipsec.user.conf

conn SAMMELBUDE
    aggressive=yes
    left=HOSTNAME-A
    leftsubnet=192.168.0.0/24
    leftfirewall=yes
    lefthostaccess=yes
    right=HOSTNAME-B
    rightsubnet=192.168.10.0/24
    rightallowany=yes
    leftid="@HOSTNAME-A"
    rightid="@HOSTNAME-B"
    ike=aes256-sha1-modp1024
    esp=aes256-sha1-modp1024
    keyexchange=ikev1
    ikelifetime=1h
    keylife=8h
    compress=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=none
    authby=secret
    auto=start

Do NOT use the GUI in the IPFIRE web interface for modifying this VPN connection or it will overwrite your config file.

After that, modify the ipsec.secrets file in the same path:

include /etc/ipsec.user.secrets
@HOSTNAME-A @HOSTNAME-B : PSK 'PRESHAREDKEY'

Finally this command should initiate the vpn connection between your IPFIRE's and FritzBox's subnets:

/etc/init.d/ipsec restart

 

This configuration example is garantueed to be working with IPFIRE core 67, a FritzBox 7390 FRITZ!OS 05.50 and StrongSwan 5.0.3RC1 (has to be updated manually, the already included version does not work) or higher on the IPFIRE.

Other FritzBoxes should run aswell. If you don't get any connection at all, you should check your IPFIRE's firewall (port 500 and 4500).