FRITZ!Box VPN to FreeBSD

I recently acquired a FRITZ!Box 7272 with the aim to replace my m0nowall firewall and ADSL router. The original idea was to simplify and hence improve my IPv6 connection to Internode and use the FRITZ!Box’s phone and Fax services on my fixed line. The catch is that I run a permanent LAN to LAN VPN connection between my house and the farm … and the FRITZ!Box was going to have to do this.
After following many how to articles on the Internet with limited success here is my solution … slightly anonymised.


  • A.B.C.D the IP address of FreeBSD box running Racoon
  • fbsd.example.org the DNS name of the FreeBSD box running Racoon
  • E.F.G.H the IP address of the FRITZ!Box
  • fritz.example.org the DNS name of the FRITZ!Box
  • TunnelName is the name of the interconnection
  • SecretPassword is the shared secret


Also note that in this example:


  • The FRITZ!Box’s local network is 10.100.0.0/24
  • The FreeBSD server’s local network is 10.101.0.0/24


It should be noted that both sites have permanent public IP addresses and public DNS names.

vpn.cfg uploaded to FRITZ!Box

vpncfg {
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = “TunnelName”;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = “fritz.example.org””;
localid {
fqdn = “fritz.example.org”;
}
remoteid {
fqdn = “fbsd.example.org”;
}
mode = phase1_mode_aggressive;
phase1ss = "alt/all/all";
keytype = connkeytype_pre_shared;
key = “SecretPassword”;
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.100.0.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.101.0.1;
mask = 255.255.255.0;
}
}
phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
accesslist = "permit ip any 10.101.0.0 255.255.255.0”;
}
}


psk.txt installed on the FreeBSD box

A.B.C.D SecretPassword


racoon.conf installed on the FreeBSD box

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

remote A.B.C.D {
exchange_mode aggressive;
my_identifier fqdn “fbsd.example.org”;
ike_frag on;
initial_contact on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}

lifetime time 28800 secs;
}

sainfo address 10.101.0.1/24 any address 10.100.0.0/24 any {
encryption_algorithm 3des,aes 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
}


spd.conf installed on the FreeBSD box:

spdadd 10.100.0.1/32 10.100.0.0/24 any -P in none;
spdadd 10.100.0.0/24 10.100.0.1/32 any -P out none;
spdadd 10.101.0.1/24 10.100.0.0/24 any -P out ipsec esp/tunnel/E.F.G.H-A.B.C.D/unique;
spdadd 10.100.0.0/24 10.101.0.1/24 any -P in ipsec esp/tunnel/A.B.C.D-E.F.G.H/unique;