Pfsense 2.3.2 VPN to FritzBox 7490 06.60

D-Ruffy

Hello everybody,

I try a VPN connection between my Fritz box and a pfSense router produce. I've Tried several instructions with no success. Does anyone have a configuration example for the current version?

Many thanks
Best regards

nachtmensch

Yes, I do.
Works from Fritzbox (Dail-Out) to pfSense (IPSec-Server).

Fritzbox-Config - fritzbox.cfg

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "VPN-NAME";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "pfSenseIP/fqdn";
localid {
fqdn = "FritzboxIP/fqdn";
}
remoteid {
fqdn = "pfSenseIP/fqdn";
}
mode = phase1_mode_idp;
phase1ss = "def/3des/sha";
keytype = connkeytype_pre_shared;
key = "PRESHAREDKEY";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = Fritzboxnetwork /ex. 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = pfSensenetwork /ex. 192.168.0.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
accesslist = "permit ip any pfSensenetwork /ex. 192.168.0.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

// EOF

pfSense-Config

VPNIPsecTunnelsEdit Phase 1

General Information
Key Exchange version = V1
Internet Protocol = V4
Interface = WAN
Remote Gateway = FritzboxIP/fqdn
Description = "VPN-NAME"

Phase 1 Proposal (Authentication)
Authentication Method = Mutual PSK
Negotiation mode = Main
My identifier = My IP adress
Peer identifier =Distinguished name / FritzboxIP/fqdn
Pre-Shared Key = PRESHAREDKEY

Phase 1 Proposal (Algorithms)
Encryption Algorithm = 3DES
Hash Algorithm = SHA1
DH Group = 1 (768 bit)
Lifetime (Seconds) = 28800

Advanced Options
Disable rekey = unchecked
Responder Only = checked
NAT Traversal = Force
Dead Peer Detection = checked
Delay = 10
Max failures = 5

VPNIPsecTunnelsEdit Phase 2

General Information
Disabled = unchecked
Mode = Tunnel IPv4
Local Network = LAN subnet
NAT/BINAT translation = None
Remote Network = Network
Adress = Fritzboxnetwork /ex. 192.168.1.0 / 24
Description = "VPN-NAME"

Phase 2 Proposal (SA/Key Exchange)
Protocol = ESP
Encryption Algorithms = AES (Auto), 3DES
Hash Algorithms = SHA1
PFS key group = 1 (786 bit)
Lifetime = 3600

Advanced Configuration
Automatically ping host = "Fritzbox-IP"

Don't forget your Firewall-Rules!

Should be it…

D-Ruffy

Hello,

many thanks for your response.
Unfortunately, it dosen’t work.

Error Massage on the FRITZBOX: IKE-Error 0x2027
Log on Pfsense:

Time Process PID Message
Sep 20 08:14:13 charon 07[ENC] <10638> generating INFORMATIONAL_V1 request 3412544522 [ HASH N(PLD_MAL) ]
Sep 20 08:14:13 charon 07[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
Sep 20 08:14:13 charon 07[IKE] <10638> ID_PROT request with message ID 0 processing failed
Sep 20 08:14:15 charon 15[NET] <10638> received packet: from fritzbox[4500] to pfsense[4500] (108 bytes)
Sep 20 08:14:15 charon 15[ENC] <10638> invalid ID_V1 payload length, decryption failed?
Sep 20 08:14:15 charon 15[ENC] <10638> could not decrypt payloads
Sep 20 08:14:15 charon 15[IKE] <10638> message parsing failed
Sep 20 08:14:15 charon 15[ENC] <10638> generating INFORMATIONAL_V1 request 3776601609 [ HASH N(PLD_MAL) ]
Sep 20 08:14:15 charon 15[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
Sep 20 08:14:15 charon 15[IKE] <10638> ID_PROT request with message ID 0 processing failed
Sep 20 08:14:19 charon 05[NET] <10638> received packet: from fritzbox[4500] to pfsense[4500] (108 bytes)
Sep 20 08:14:19 charon 05[ENC] <10638> invalid ID_V1 payload length, decryption failed?
Sep 20 08:14:19 charon 05[ENC] <10638> could not decrypt payloads
Sep 20 08:14:19 charon 05[IKE] <10638> message parsing failed
Sep 20 08:14:19 charon 05[ENC] <10638> generating INFORMATIONAL_V1 request 322518928 [ HASH N(PLD_MAL) ]
Sep 20 08:14:19 charon 05[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
Sep 20 08:14:19 charon 05[IKE] <10638> ID_PROT request with message ID 0 processing failed
Sep 20 08:14:27 charon 10[NET] <10638> received packet: from fritzbox[4500] to pfsense[4500] (108 bytes)
Sep 20 08:14:27 charon 10[ENC] <10638> invalid ID_V1 payload length, decryption failed?
Sep 20 08:14:27 charon 10[ENC] <10638> could not decrypt payloads
Sep 20 08:14:27 charon 10[IKE] <10638> message parsing failed
Sep 20 08:14:27 charon 10[ENC] <10638> generating INFORMATIONAL_V1 request 1938149978 [ HASH N(PLD_MAL) ]
Sep 20 08:14:27 charon 10[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
Sep 20 08:14:27 charon 10[IKE] <10638> ID_PROT request with message ID 0 processing failed
Sep 20 08:14:42 charon 08[JOB] <10638> deleting half open IKE_SA after timeout
Sep 20 08:14:51 charon 14[CFG] rereading secrets
Sep 20 08:14:51 charon 14[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Sep 20 08:14:51 charon 14[CFG] loaded IKE secret for %any @dyndns.fritz.box
Sep 20 08:14:51 charon 14[CFG] loaded IKE secret for dyndns.fritz.box
Sep 20 08:14:51 charon 14[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep 20 08:14:51 charon 14[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 20 08:14:51 charon 14[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep 20 08:14:51 charon 14[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep 20 08:14:51 charon 14[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Sep 20 08:14:51 charon 11[CFG] received stroke: unroute 'bypasslan'
Sep 20 08:14:51 ipsec_starter 29044 shunt policy 'bypasslan' uninstalled
Sep 20 08:14:51 charon 14[CFG] received stroke: delete connection 'bypasslan'
Sep 20 08:14:51 charon 14[CFG] deleted connection 'bypasslan'
Sep 20 08:14:51 charon 14[CFG] received stroke: delete connection 'con1000'
Sep 20 08:14:51 charon 14[CFG] deleted connection 'con1000'
Sep 20 08:14:51 charon 06[CFG] received stroke: add connection 'bypasslan'
Sep 20 08:14:51 charon 06[CFG] added configuration 'bypasslan'
Sep 20 08:14:51 charon 11[CFG] received stroke: route 'bypasslan'
Sep 20 08:14:51 ipsec_starter 29044 'bypasslan' shunt PASS policy installed
Sep 20 08:14:51 charon 06[CFG] received stroke: add connection 'con1000'
Sep 20 08:14:51 charon 06[CFG] added configuration 'con1000'
Sep 20 08:14:55 charon 06[IKE] <con1000|10637>sending retransmit 5 of request message ID 0, seq 1
Sep 20 08:14:55 charon 06[NET] <con1000|10637>sending packet: from pfsense[500] to fritzbox[500] (176 bytes)
Sep 20 08:16:10 charon 15[IKE] <con1000|10637>giving up after 5 retransmits
Sep 20 08:16:10 charon 15[IKE] <con1000|10637>establishing IKE_SA failed, peer not responding</con1000|10637></con1000|10637></con1000|10637></con1000|10637>

Can you help me?

Many thanks
Best regards

nachtmensch

Unfurtunetly i can't i'am sorry. Might be a problem with die indentifier. Try an change to E-Mailadress? You need to post your config incl. your IPSec advanse settings.

The config works for me, i just set it up yesterday and the tunnel is up and running since then.

D-Ruffy

Hi,

it works :)

I've try some changes at the identifier, now it works.

Many thanks

Best regards

nachtmensch

Can you please show your configs on both sides?!

Your welcome…

D-Ruffy

Of Course

My Fritzbox has a dynamic IP so I use DynDNS for them

Pfsense has a static IP address.

Pfsense Configuration
pfSense-Config

VPN / IPsec /Tunnels / Edit Phase 1

Disbaled = Unchecked
General Information
Key Exchange version = V1
Internet Protocol = IPV4
Interface = WAN
Remote Gateway = DYNDNS of FritzBox
Description = "Name of VPN"

Phase 1 Proposal (Authentication)
Authentication Method = Mutual PSK
Negotiation mode = Main
My identifier = My IP adress
Peer identifier = Distinguished name -> DYNDNS of FritzBox
Pre-Shared Key = Preshared-Key

Phase 1 Proposal (Algorithms)
Encryption Algorithm = 3DES
Hash Algorithm = SHA1
DH Group = 1 (768 bit)
Lifetime (Seconds) = 28800

Advanced Options
Disable rekey = Unchecked
Responder Only = Unchecked
NAT Traversal = Force
Dead Peer Detection = checked
Delay = 10
Max failures = 5

VPN / IPsec / Tunnels / Edit Phase 2

General Information
Disabled = Unchecked
Mode = Tunnel IPv4
Local Network = LAN subnet
NAT/BINAT translation = None
Remote Network = Network -> Fritzboxnetwork (example 192.168.1.0 / 24)
Description = "Name of VPN"

Phase 2 Proposal (SA/Key Exchange)
Protocol = ESP
Encryption Algorithms = 3DES
Hash Algorithms = SHA1
PFS key group = 1 (786 bit)
Lifetime = 3600

Advanced Configuration
Automatically ping host = IP-Adress of FritzBox

FritzBox Configuration

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "Name of VPN";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = STATIC-IP of PFSENSE;
remote_virtualip = 0.0.0.0;
localid {
fqdn = "DYNDNS of FritzBox";
}
remoteid {
ipaddr = "STATIC-IP of PFSENSE";
}
mode = phase1_mode_idp;
phase1ss = "def/3des/sha";
keytype = connkeytype_pre_shared;
key = "Preshared-Key";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = Fritzboxnetwork;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = Pfsensenetwork;
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
accesslist = "permit ip any Pfsensenetwork 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

// EOF

Best regards

cvhideki

Hi guys
I have a similar problem
connection is active
but traffic exchange impossible
how you want to configure PfSense for traffic exchange ???
thx