IPSEC tunnel to FritzBox

MischaBoender · October 4, 2012, 8:40pm

I have a RB450 and RB433 connected by an IPSEC tunnel for some time now. Everything is working fine and now I want to setup an IPSEC tunnel from the RB450 to a FritzBox.

The tunnel comes up fine, no errors in the RB or FritzBox logs, but I’m unable to get traffic over the tunnel. NAT rule is in place for the remote subnet and all IPSEC settings match the settings of the tunnel to the other RB (which is running fine).

Tried Main and Aggressive mode, different encryptions, and every time the tunnel comes up fine, but no traffic through the tunnel.

Does anyone have experience with a VPN tunnel to a FritzBox, or know a good way to troubleshoot this?

otgooneo · October 5, 2012, 1:25am

Please post here IPSec configurations and installed-SA.

cleue · December 15, 2012, 8:36pm

Hi Mischa,

did you ever figure out how to get this to work? Just trying to set up the same and stumbled across your question. I’d appreciate if you would share your success story.

Cheers,
Christian

biomann · April 25, 2013, 8:26am

Hi,

i am also interested in some configuration examples.

greetings,
markus

xranix · January 29, 2014, 8:41pm

Hi,

have this problem too … anyone with some tips?

Thanks

otgooneo · February 3, 2014, 2:38am

Please explain us how you setup your network and router configurations. Without your detail information, no one can help you on this matter.

lenart · April 9, 2015, 8:57am

I have traffic flowing over my tunnel between a FritzBox 7360 with FritzOS 6.20 and a Mikrotik RB2011UiAS-2HnD with RouterOS 6.27.

I am however having connection issues. Sometimes I can’t connect to any host behind the FritzBox from the Mikrotik side. I am still trying to figure out what is going on.

That being said, my latest config, that seems to be working out pretty well so far is as follows:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "[Name of the VPN connection in the FritzOS interface]";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "[remote.host.name]";
                localid {
                        fqdn = "[local.host.name]";
                }
                remoteid {
                        fqdn = "[remote.host.name]";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "[supersecretkey]";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 10.0.10.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.0.20.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 10.0.20.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

This link provides details with regards to the VPN config file for the FritzBox.

In addition, AVM has provided a list of options for both the phase1ss and the phase2sss parameters in the config file.

On the mikrotik side, I’ve used the following setup:

Policy

/ip ipsec policy add action=encrypt disable=no dst-address=10.0.10.0/8 dst-port=any group=default ipsec-protocol=esp level=required proposal=fritzbox sa-dst-address=1.2.3.4 sa-src-address=4.3.2.1 src-address=10.0.20.0/8 src-port=any template=yes tunnel=yes

Peer

/ip ipsec peer add address=1.2.3.4 auth-method=pre-shared-key dh-group=modp1024 disabled=no enc-algorithm=aes-256 exchange-mode=aggressive generate-policy=no hash-algorithm=sha1 port=500 proposal-check=obey secret="[supersecretkey]" send-initial-contact=no

Proposal

/ip ipsec proposal add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name="fritzbox" pfs-group=modp1024

Note that I’ve put the fritzbox in charge of creating the connection (“send-initial-contact=no” in the peer setup). It seems that in my case, it works best if I let the fritzbox initiate the connection. If the Mikrotik initiates the connection, I run into problems about 30 minutes in (pings start dropping). I haven’t figured out why this happens.

otgooneo · April 14, 2015, 12:59am

In my experience, in some cases it happens, when ipsec between Mikrotik and Cisco /Linksys/. I believe below should solve your issue too.

Phase2 life time should be less than Phase1 always.
Exactly same Phase times on each routers.
Enable Deed-Peer-Detection
Configure scheduled ping to remote side for example every 5 minutes

Let me know it helps or not.

evince · April 14, 2015, 8:56am

Hello,

I have been able to run VPN Ipsec between Fritzbox and Mikrotik, see this thread : http://forum.mikrotik.com/t/vpn-ipsec-between-avm-fritzbox-an-mikrotik/65570/1