Listed on


I recently acquired a FRITZ!Box 7272 with the aim to replace my m0nowall firewall and ADSL router. The original idea was to simplify and hence improve my IPv6 connection to Internode and use the FRITZ!Box’s phone and Fax services on my fixed line. The catch is that I run a permanent LAN to LAN VPN connection between my house and the farm … and the FRITZ!Box was going to have to do this.
After following many how to articles on the Internet with limited success here is my solution … slightly anonymised.

  • A.B.C.D the IP address of FreeBSD box running Racoon
  • the DNS name of the FreeBSD box running Racoon
  • E.F.G.H the IP address of the FRITZ!Box
  • the DNS name of the FRITZ!Box
  • TunnelName is the name of the interconnection
  • SecretPassword is the shared secret

Also note that in this example:

  • The FRITZ!Box’s local network is
  • The FreeBSD server’s local network is

It should be noted that both sites have permanent public IP addresses and public DNS names.

vpn.cfg uploaded to FRITZ!Box

vpncfg {
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = “TunnelName”;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip =;
local_virtualip =;
remoteip =;
remote_virtualip =;
remotehostname = “””;
localid {
fqdn = “”;
remoteid {
fqdn = “”;
mode = phase1_mode_aggressive;
phase1ss = "alt/all/all";
keytype = connkeytype_pre_shared;
key = “SecretPassword”;
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr =;
mask =;
phase2remoteid {
ipnet {
ipaddr =;
mask =;
phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
accesslist = "permit ip any”;

psk.txt installed on the FreeBSD box

A.B.C.D SecretPassword

racoon.conf installed on the FreeBSD box

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

remote A.B.C.D {
exchange_mode aggressive;
my_identifier fqdn “”;
ike_frag on;
initial_contact on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;

lifetime time 28800 secs;

sainfo address any address any {
encryption_algorithm 3des,aes 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;

spd.conf installed on the FreeBSD box:

spdadd any -P in none;
spdadd any -P out none;
spdadd any -P out ipsec esp/tunnel/E.F.G.H-A.B.C.D/unique;
spdadd any -P in ipsec esp/tunnel/A.B.C.D-E.F.G.H/unique;