EFW Support

Support => VPN Support => Topic started by: HofMar on Tuesday 19 July 2016, 11:44:36 pm



Title: VPN (IPsec) to Fritz!Box
Post by: HofMar on Tuesday 19 July 2016, 11:44:36 pm
Hello,

i've create a LAN-LAN-VPN with IPsec. Both sides have dynamic ip addresses. The dial from Fritz!Box side works well. From the other side nothing is triggered. The rekeying after 1 hour works. After 24 hours both side reconnect to the internet with a new ip addreess. If the ip address from endian 2.5.1 changed, the VPN reconnect and is working. If the Fritz!Box side change the ip address the reconnection failed.
In Endian a message "initial Main Mode message received on a.b.c.d:500 but no connection has been authorized with policy=PSK" is shown.
The "ipsec status" show me an connection to the Fritz!Box, but with the old ip address.
The Fritz!Box show "VPN-Fehler: <endian.fqdn>, IKE-Error 0x2027"

I think the dns resolve for the peer isn't running after the link is down. So the changed ip address isn't used. But the ampersand at the start of the rightid say, use the fqdn instead of resolve to the ip address.

What's wrong?

Here are my configs:
Code:
vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "endian.fqdn";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "<endian.fqdn>";
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "<fritzbox.fqdn>";
                }
                remoteid {
                        fqdn = "<endian.fqdn>";
                }
                // IKE
                mode = phase1_mode_idp;
                phase1ss = "alt/aes/sha"; // AES256, SHA1, DH2 und 1 Stunde Gültigkeit
                keytype = connkeytype_pre_shared;
                key = "<pre_shared_key>";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                // ESP
                phase2localid {
                        ipnet {
                                ipaddr = <fritzbox.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = <endian.net>;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // 3DES, SHA1, DH2 und 1 Stunde Gültigkeit
                accesslist = "permit ip any <endian.net> 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}
und
Code:
config setup
cachecrls = yes
uniqueids=yes
nat_traversal=yes
charonstart=no
plutostart=yes
plutodebug=" dns "

conn %default
keyingtries=%forever


conn <display_name>
left=<endian.public_ip>
leftnexthop=<endian.public_next_hop>
leftsubnet=<endian.net>/24
leftsourceip=<endian.private_ip>
right=<fritzbox.fqdn>
rightsubnet=<fritzbox.net>/24
leftid="@<endian.fqdn>"
rightid="@<fritzbox.fqdn>"
authby=secret
pfs=yes
ikelifetime=1h
keylife=1h
ike=aes256-sha-modp1024
esp=3des-sha1
auto=start
keyexchange=ikev1

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore
After "ipsec restart" all works within the next reconnect.

Greetings Martin