FRITZ!Box VPN to FreeBSD
29/01/15 21:33 Filed in: Systems Administation
I recently acquired a FRITZ!Box 7272 with the aim to replace my m0nowall firewall and ADSL router. The original idea was to simplify and hence improve my IPv6 connection to Internode and use the FRITZ!Box’s phone and Fax services on my fixed line. The catch is that I run a permanent LAN to LAN VPN connection between my house and the farm … and the FRITZ!Box was going to have to do this.
After following many how to articles on the Internet with limited success here is my solution … slightly anonymised.
Also note that in this example:
It should be noted that both sites have permanent public IP addresses and public DNS names.
vpn.cfg uploaded to FRITZ!Box
psk.txt installed on the FreeBSD box
racoon.conf installed on the FreeBSD box
spd.conf installed on the FreeBSD box:
- A.B.C.D the IP address of FreeBSD box running Racoon
- fbsd.example.org the DNS name of the FreeBSD box running Racoon
- E.F.G.H the IP address of the FRITZ!Box
- fritz.example.org the DNS name of the FRITZ!Box
- TunnelName is the name of the interconnection
- SecretPassword is the shared secret
Also note that in this example:
- The FRITZ!Box’s local network is 10.100.0.0/24
- The FreeBSD server’s local network is 10.101.0.0/24
It should be noted that both sites have permanent public IP addresses and public DNS names.
vpncfg {
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = “TunnelName”;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = “fritz.example.org””;
localid {
fqdn = “fritz.example.org”;
}
remoteid {
fqdn = “fbsd.example.org”;
}
mode = phase1_mode_aggressive;
phase1ss = "alt/all/all";
keytype = connkeytype_pre_shared;
key = “SecretPassword”;
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.100.0.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.101.0.1;
mask = 255.255.255.0;
}
}
phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
accesslist = "permit ip any 10.101.0.0 255.255.255.0”;
}
}
A.B.C.D SecretPassword
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
remote A.B.C.D {
exchange_mode aggressive;
my_identifier fqdn “fbsd.example.org”;
ike_frag on;
initial_contact on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}
sainfo address 10.101.0.1/24 any address 10.100.0.0/24 any {
encryption_algorithm 3des,aes 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
}
spdadd 10.100.0.1/32 10.100.0.0/24 any -P in none;
spdadd 10.100.0.0/24 10.100.0.1/32 any -P out none;
spdadd 10.101.0.1/24 10.100.0.0/24 any -P out ipsec esp/tunnel/E.F.G.H-A.B.C.D/unique;
spdadd 10.100.0.0/24 10.101.0.1/24 any -P in ipsec esp/tunnel/A.B.C.D-E.F.G.H/unique;