VPN (IPsec) to Fritz!Box

[Guest]

[HofMar]

Hello,

i've create a LAN-LAN-VPN with IPsec. Both sides have dynamic ip addresses. The dial from Fritz!Box side works well. From the other side nothing is triggered. The rekeying after 1 hour works. After 24 hours both side reconnect to the internet with a new ip addreess. If the ip address from endian 2.5.1 changed, the VPN reconnect and is working. If the Fritz!Box side change the ip address the reconnection failed.
In Endian a message "initial Main Mode message received on a.b.c.d:500 but no connection has been authorized with policy=PSK" is shown.
The "ipsec status" show me an connection to the Fritz!Box, but with the old ip address.
The Fritz!Box show "VPN-Fehler: <endian.fqdn>, IKE-Error 0x2027"

I think the dns resolve for the peer isn't running after the link is down. So the changed ip address isn't used. But the ampersand at the start of the rightid say, use the fqdn instead of resolve to the ip address.

What's wrong?

Here are my configs:

Code:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "endian.fqdn";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "<endian.fqdn>";
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "<fritzbox.fqdn>";
                }
                remoteid {
                        fqdn = "<endian.fqdn>";
                }
                // IKE
                mode = phase1_mode_idp;
                phase1ss = "alt/aes/sha"; // AES256, SHA1, DH2 und 1 Stunde Gültigkeit
                keytype = connkeytype_pre_shared;
                key = "<pre_shared_key>";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                // ESP
                phase2localid {
                        ipnet {
                                ipaddr = <fritzbox.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = <endian.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // 3DES, SHA1, DH2 und 1 Stunde Gültigkeit
                accesslist = "permit ip any <endian.net> 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

und

Code:

config setup
	cachecrls = yes
	uniqueids=yes
	nat_traversal=yes
	charonstart=no
	plutostart=yes
	plutodebug=" dns "

conn %default
	keyingtries=%forever


conn <display_name>
	left=<endian.public_ip>
	leftnexthop=<endian.public_next_hop>
	leftsubnet=<endian.net>/24
	leftsourceip=<endian.private_ip>
	right=<fritzbox.fqdn>
	rightsubnet=<fritzbox.net>/24
	leftid="@<endian.fqdn>"
	rightid="@<fritzbox.fqdn>"
	authby=secret
	pfs=yes
	ikelifetime=1h
	keylife=1h
	ike=aes256-sha-modp1024
	esp=3des-sha1
	auto=start
	keyexchange=ikev1

conn block 
    auto=ignore
conn private 
    auto=ignore
conn private-or-clear 
    auto=ignore
conn clear-or-private 
    auto=ignore
conn clear 
    auto=ignore
conn packetdefault 
    auto=ignore

After "ipsec restart" all works within the next reconnect.

Greetings Martin