Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 05 December 2024, 05:36:22 pm

Login with username, password and session length

Visit the Official Endian Bug tracker  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  VPN (IPsec) to Fritz!Box
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: VPN (IPsec) to Fritz!Box  (Read 12229 times)
HofMar
Jr. Member
*
Offline Offline

Posts: 1


« on: Tuesday 19 July 2016, 11:44:36 pm »

Hello,

i've create a LAN-LAN-VPN with IPsec. Both sides have dynamic ip addresses. The dial from Fritz!Box side works well. From the other side nothing is triggered. The rekeying after 1 hour works. After 24 hours both side reconnect to the internet with a new ip addreess. If the ip address from endian 2.5.1 changed, the VPN reconnect and is working. If the Fritz!Box side change the ip address the reconnection failed.
In Endian a message "initial Main Mode message received on a.b.c.d:500 but no connection has been authorized with policy=PSK" is shown.
The "ipsec status" show me an connection to the Fritz!Box, but with the old ip address.
The Fritz!Box show "VPN-Fehler: <endian.fqdn>, IKE-Error 0x2027"

I think the dns resolve for the peer isn't running after the link is down. So the changed ip address isn't used. But the ampersand at the start of the rightid say, use the fqdn instead of resolve to the ip address.

What's wrong?

Here are my configs:
Code:
vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "endian.fqdn";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "<endian.fqdn>";
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "<fritzbox.fqdn>";
                }
                remoteid {
                        fqdn = "<endian.fqdn>";
                }
                // IKE
                mode = phase1_mode_idp;
                phase1ss = "alt/aes/sha"; // AES256, SHA1, DH2 und 1 Stunde Gültigkeit
                keytype = connkeytype_pre_shared;
                key = "<pre_shared_key>";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                // ESP
                phase2localid {
                        ipnet {
                                ipaddr = <fritzbox.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = <endian.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // 3DES, SHA1, DH2 und 1 Stunde Gültigkeit
                accesslist = "permit ip any <endian.net> 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}
und
Code:
config setup
cachecrls = yes
uniqueids=yes
nat_traversal=yes
charonstart=no
plutostart=yes
plutodebug=" dns "

conn %default
keyingtries=%forever


conn <display_name>
left=<endian.public_ip>
leftnexthop=<endian.public_next_hop>
leftsubnet=<endian.net>/24
leftsourceip=<endian.private_ip>
right=<fritzbox.fqdn>
rightsubnet=<fritzbox.net>/24
leftid="@<endian.fqdn>"
rightid="@<fritzbox.fqdn>"
authby=secret
pfs=yes
ikelifetime=1h
keylife=1h
ike=aes256-sha-modp1024
esp=3des-sha1
auto=start
keyexchange=ikev1

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore
After "ipsec restart" all works within the next reconnect.

Greetings Martin
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com