Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 06 December 2024, 03:46:47 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  VPN (IPsec) to Fritz!Box
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: VPN (IPsec) to Fritz!Box  (Read 12242 times)
HofMar
Jr. Member
*
Offline Offline

Posts: 1


« on: Tuesday 19 July 2016, 11:44:36 pm »

Hello,

i've create a LAN-LAN-VPN with IPsec. Both sides have dynamic ip addresses. The dial from Fritz!Box side works well. From the other side nothing is triggered. The rekeying after 1 hour works. After 24 hours both side reconnect to the internet with a new ip addreess. If the ip address from endian 2.5.1 changed, the VPN reconnect and is working. If the Fritz!Box side change the ip address the reconnection failed.
In Endian a message "initial Main Mode message received on a.b.c.d:500 but no connection has been authorized with policy=PSK" is shown.
The "ipsec status" show me an connection to the Fritz!Box, but with the old ip address.
The Fritz!Box show "VPN-Fehler: <endian.fqdn>, IKE-Error 0x2027"

I think the dns resolve for the peer isn't running after the link is down. So the changed ip address isn't used. But the ampersand at the start of the rightid say, use the fqdn instead of resolve to the ip address.

What's wrong?

Here are my configs:
Code:
vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "endian.fqdn";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "<endian.fqdn>";
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "<fritzbox.fqdn>";
                }
                remoteid {
                        fqdn = "<endian.fqdn>";
                }
                // IKE
                mode = phase1_mode_idp;
                phase1ss = "alt/aes/sha"; // AES256, SHA1, DH2 und 1 Stunde Gültigkeit
                keytype = connkeytype_pre_shared;
                key = "<pre_shared_key>";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                // ESP
                phase2localid {
                        ipnet {
                                ipaddr = <fritzbox.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = <endian.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // 3DES, SHA1, DH2 und 1 Stunde Gültigkeit
                accesslist = "permit ip any <endian.net> 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}
und
Code:
config setup
cachecrls = yes
uniqueids=yes
nat_traversal=yes
charonstart=no
plutostart=yes
plutodebug=" dns "

conn %default
keyingtries=%forever


conn <display_name>
left=<endian.public_ip>
leftnexthop=<endian.public_next_hop>
leftsubnet=<endian.net>/24
leftsourceip=<endian.private_ip>
right=<fritzbox.fqdn>
rightsubnet=<fritzbox.net>/24
leftid="@<endian.fqdn>"
rightid="@<fritzbox.fqdn>"
authby=secret
pfs=yes
ikelifetime=1h
keylife=1h
ike=aes256-sha-modp1024
esp=3des-sha1
auto=start
keyexchange=ikev1

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore
After "ipsec restart" all works within the next reconnect.

Greetings Martin
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com