Title: VPN (IPsec) to Fritz!Box Post by: HofMar on Tuesday 19 July 2016, 11:44:36 pm Hello,
i've create a LAN-LAN-VPN with IPsec. Both sides have dynamic ip addresses. The dial from Fritz!Box side works well. From the other side nothing is triggered. The rekeying after 1 hour works. After 24 hours both side reconnect to the internet with a new ip addreess. If the ip address from endian 2.5.1 changed, the VPN reconnect and is working. If the Fritz!Box side change the ip address the reconnection failed. In Endian a message "initial Main Mode message received on a.b.c.d:500 but no connection has been authorized with policy=PSK" is shown. The "ipsec status" show me an connection to the Fritz!Box, but with the old ip address. The Fritz!Box show "VPN-Fehler: <endian.fqdn>, IKE-Error 0x2027" I think the dns resolve for the peer isn't running after the link is down. So the changed ip address isn't used. But the ampersand at the start of the rightid say, use the fqdn instead of resolve to the ip address. What's wrong? Here are my configs: Code: vpncfg { undconnections { enabled = yes; conn_type = conntype_lan; name = "endian.fqdn"; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 0.0.0.0; remotehostname = "<endian.fqdn>"; keepalive_ip = 0.0.0.0; localid { fqdn = "<fritzbox.fqdn>"; } remoteid { fqdn = "<endian.fqdn>"; } // IKE mode = phase1_mode_idp; phase1ss = "alt/aes/sha"; // AES256, SHA1, DH2 und 1 Stunde Gültigkeit keytype = connkeytype_pre_shared; key = "<pre_shared_key>"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; // ESP phase2localid { ipnet { ipaddr = <fritzbox.net>; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = <endian.net>; mask = 255.255.255.0; } } phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // 3DES, SHA1, DH2 und 1 Stunde Gültigkeit accesslist = "permit ip any <endian.net> 255.255.255.0"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } Code: config setup After "ipsec restart" all works within the next reconnect.cachecrls = yes uniqueids=yes nat_traversal=yes charonstart=no plutostart=yes plutodebug=" dns " conn %default keyingtries=%forever conn <display_name> left=<endian.public_ip> leftnexthop=<endian.public_next_hop> leftsubnet=<endian.net>/24 leftsourceip=<endian.private_ip> right=<fritzbox.fqdn> rightsubnet=<fritzbox.net>/24 leftid="@<endian.fqdn>" rightid="@<fritzbox.fqdn>" authby=secret pfs=yes ikelifetime=1h keylife=1h ike=aes256-sha-modp1024 esp=3des-sha1 auto=start keyexchange=ikev1 conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore Greetings Martin |