AVM Fritz!Box related tips and tricks
The following examples will show you how to establish an IPsec connection to a Fritz!Box from linux (vpnc) and Android (with builtin IPsec, Android 4.x or higher).
VPN configuration file
AVM supplies a special tool to create a configuration files. However, it has several flaws (one of them is that it is Windows only), and you actually don’t need it. Just customize the configuration file below to suit your needs.
/* * Fritz!Box VPN Configuration File */ vpncfg { connections { enabled = yes; conn_type = conntype_user; name = "My_DNS_here"; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 192.168.178.201; remoteid { key_id = "MyKeyID"; } mode = phase1_mode_aggressive; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "Put_your_secret_PSK_here"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = yes; xauth { valid = yes; username = "My_Username"; passwd = "My_Password"; } use_cfgmode = yes; phase2localid { ipnet { ipaddr = 0.0.0.0; mask = 0.0.0.0; } } phase2remoteid { ipaddr = 192.168.178.201; } phase2ss = "esp-all-all/ah-none/comp-all/no-pfs"; accesslist = "permit ip 192.168.178.0 255.255.255.0 192.168.178.201 255.255.255.255", "permit ip any 192.168.178.201 255.255.255.255"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } // EOF
The configuration file is made for a Fritz!Box with default IP settings on the LAN side. You will have to change the IP addresses accordingly if you have changed your internal network. Other options you will need to modify:
-
name = "My_DNS_here"; You will probably have a dynamic IP, so you will need to configure DynDNS and insert your A record here.
-
key_id = "MyKeyID"; This is the IPsec ID in vpnc terminology. IMPORTANT: If you plan to connect from an Android device with the builtin IPsec (i.e. without VPNCilla or other additional apps), DO NOT USE ANY SPECIAL CHARACTERS HERE AT ALL, OTHERWISE THE CONNECTION WILL FAIL. No "@", no ".", no "-", etc.. Only an alphanumeric ID will work with Android for whatever reason. AVM has a guide for Android, but it does not mention this.
-
key = "Put_your_secret_PSK_here"; This should be a long key with special characters, upper / lower case etc..
-
username = "My_Username"; This is the Xauth username. No special requirements.
-
passwd = "My_Password"; The Xauth password, should be secure (special characters, upper / lower case etc.).
Connecting from Android
You can follow the guide from AVM:
JUST REMEMBER TO USE AN ALPHANUMERIC key_id AS DESCRIBED ABOVE.
Connecting from a Linux system with vpnc
This is a working configuration file for vpnc. Insert your variables and save it under /etc/vpnc/fritzbox.conf, you will be able to establish the connection with the command "vpnc-connect fritzbox" (as root).
# "name" from the Fritz!Box VPN configuration IPSec gateway My_DNS_here IKE DH Group dh2 Perfect Forward Secrecy nopfs # "key_id" from the Fritz!Box VPN configuration IPSec ID MyKeyID # "key" from the Fritz!Box VPN configuration IPSec secret Put_your_secret_PSK_here NAT Traversal Mode force-natt # This will prompt you for username and password Xauth interactive # If you want to store Xauth username and password instead, use this: # "username" from the Fritz!Box VPN configuration # Xauth username My_Username # "passwd" from the Fritz!Box VPN configuration # Xauth password My_Password # If you experience problems, this might help: # Debug 3