Pfsense 2.3.2 VPN to FritzBox 7490 06.60



  • Hello everybody,

    I try a VPN connection between my Fritz box and a pfSense router produce. I've Tried several instructions with no success. Does anyone have a configuration example for the current version?

    Many thanks
    Best regards



  • Yes, I do.
    Works from Fritzbox (Dail-Out) to pfSense (IPSec-Server).

    Fritzbox-Config - fritzbox.cfg

    vpncfg {
            connections {
                    enabled = yes;
                    conn_type = conntype_lan;
                    name = "VPN-NAME";
                    always_renew = yes;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = 0.0.0.0;
                    remote_virtualip = 0.0.0.0;
                    remotehostname = "pfSenseIP/fqdn";
                    localid {
                            fqdn = "FritzboxIP/fqdn";
                    }
                    remoteid {
                            fqdn = "pfSenseIP/fqdn";
                    }
                    mode = phase1_mode_idp;
                    phase1ss = "def/3des/sha";
                    keytype = connkeytype_pre_shared;
                    key = "PRESHAREDKEY";
                    cert_do_server_auth = no;
                    use_nat_t = yes;
                    use_xauth = no;
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = Fritzboxnetwork /ex. 192.168.1.0;
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2remoteid {
                            ipnet {
                                    ipaddr = pfSensenetwork /ex. 192.168.0.0;
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
                    accesslist = "permit ip any pfSensenetwork /ex. 192.168.0.0 255.255.255.0";
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                                "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

    // EOF

    pfSense-Config

    VPNIPsecTunnelsEdit Phase 1

    General Information
    Key Exchange version = V1
    Internet Protocol  = V4
    Interface = WAN
    Remote Gateway = FritzboxIP/fqdn
    Description = "VPN-NAME"

    Phase 1 Proposal (Authentication)
    Authentication Method = Mutual PSK
    Negotiation mode = Main
    My identifier = My IP adress
    Peer identifier =Distinguished name / FritzboxIP/fqdn
    Pre-Shared Key = PRESHAREDKEY

    Phase 1 Proposal (Algorithms)
    Encryption Algorithm = 3DES
    Hash Algorithm = SHA1
    DH Group = 1 (768 bit)
    Lifetime (Seconds) = 28800

    Advanced Options
    Disable rekey = unchecked
    Responder Only = checked
    NAT Traversal  = Force
    Dead Peer Detection = checked
    Delay = 10
    Max failures = 5

    VPNIPsecTunnelsEdit Phase 2

    General Information
    Disabled = unchecked
    Mode = Tunnel IPv4
    Local Network = LAN subnet
    NAT/BINAT translation = None
    Remote Network = Network
    Adress = Fritzboxnetwork /ex. 192.168.1.0 / 24
    Description = "VPN-NAME"

    Phase 2 Proposal (SA/Key Exchange)
    Protocol = ESP
    Encryption Algorithms = AES (Auto), 3DES
    Hash Algorithms = SHA1
    PFS key group = 1 (786 bit)
    Lifetime = 3600

    Advanced Configuration
    Automatically ping host = "Fritzbox-IP"

    Don't forget your Firewall-Rules!

    Should be it…



  • Hello,

    many thanks for your response.
    Unfortunately, it dosen’t work.

    Error Massage on the FRITZBOX: IKE-Error 0x2027
    Log on Pfsense:

    Time Process PID Message
    Sep 20 08:14:13 charon 07[ENC] <10638> generating INFORMATIONAL_V1 request 3412544522 [ HASH N(PLD_MAL) ]
    Sep 20 08:14:13 charon 07[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
    Sep 20 08:14:13 charon 07[IKE] <10638> ID_PROT request with message ID 0 processing failed
    Sep 20 08:14:15 charon 15[NET] <10638> received packet: from fritzbox[4500] to pfsense[4500] (108 bytes)
    Sep 20 08:14:15 charon 15[ENC] <10638> invalid ID_V1 payload length, decryption failed?
    Sep 20 08:14:15 charon 15[ENC] <10638> could not decrypt payloads
    Sep 20 08:14:15 charon 15[IKE] <10638> message parsing failed
    Sep 20 08:14:15 charon 15[ENC] <10638> generating INFORMATIONAL_V1 request 3776601609 [ HASH N(PLD_MAL) ]
    Sep 20 08:14:15 charon 15[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
    Sep 20 08:14:15 charon 15[IKE] <10638> ID_PROT request with message ID 0 processing failed
    Sep 20 08:14:19 charon 05[NET] <10638> received packet: from fritzbox[4500] to pfsense[4500] (108 bytes)
    Sep 20 08:14:19 charon 05[ENC] <10638> invalid ID_V1 payload length, decryption failed?
    Sep 20 08:14:19 charon 05[ENC] <10638> could not decrypt payloads
    Sep 20 08:14:19 charon 05[IKE] <10638> message parsing failed
    Sep 20 08:14:19 charon 05[ENC] <10638> generating INFORMATIONAL_V1 request 322518928 [ HASH N(PLD_MAL) ]
    Sep 20 08:14:19 charon 05[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
    Sep 20 08:14:19 charon 05[IKE] <10638> ID_PROT request with message ID 0 processing failed
    Sep 20 08:14:27 charon 10[NET] <10638> received packet: from fritzbox[4500] to pfsense[4500] (108 bytes)
    Sep 20 08:14:27 charon 10[ENC] <10638> invalid ID_V1 payload length, decryption failed?
    Sep 20 08:14:27 charon 10[ENC] <10638> could not decrypt payloads
    Sep 20 08:14:27 charon 10[IKE] <10638> message parsing failed
    Sep 20 08:14:27 charon 10[ENC] <10638> generating INFORMATIONAL_V1 request 1938149978 [ HASH N(PLD_MAL) ]
    Sep 20 08:14:27 charon 10[NET] <10638> sending packet: from pfsense[500] to fritzbox[500] (68 bytes)
    Sep 20 08:14:27 charon 10[IKE] <10638> ID_PROT request with message ID 0 processing failed
    Sep 20 08:14:42 charon 08[JOB] <10638> deleting half open IKE_SA after timeout
    Sep 20 08:14:51 charon 14[CFG] rereading secrets
    Sep 20 08:14:51 charon 14[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Sep 20 08:14:51 charon 14[CFG] loaded IKE secret for %any @dyndns.fritz.box
    Sep 20 08:14:51 charon 14[CFG] loaded IKE secret for dyndns.fritz.box
    Sep 20 08:14:51 charon 14[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Sep 20 08:14:51 charon 14[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Sep 20 08:14:51 charon 14[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Sep 20 08:14:51 charon 14[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Sep 20 08:14:51 charon 14[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Sep 20 08:14:51 charon 11[CFG] received stroke: unroute 'bypasslan'
    Sep 20 08:14:51 ipsec_starter 29044 shunt policy 'bypasslan' uninstalled
    Sep 20 08:14:51 charon 14[CFG] received stroke: delete connection 'bypasslan'
    Sep 20 08:14:51 charon 14[CFG] deleted connection 'bypasslan'
    Sep 20 08:14:51 charon 14[CFG] received stroke: delete connection 'con1000'
    Sep 20 08:14:51 charon 14[CFG] deleted connection 'con1000'
    Sep 20 08:14:51 charon 06[CFG] received stroke: add connection 'bypasslan'
    Sep 20 08:14:51 charon 06[CFG] added configuration 'bypasslan'
    Sep 20 08:14:51 charon 11[CFG] received stroke: route 'bypasslan'
    Sep 20 08:14:51 ipsec_starter 29044 'bypasslan' shunt PASS policy installed
    Sep 20 08:14:51 charon 06[CFG] received stroke: add connection 'con1000'
    Sep 20 08:14:51 charon 06[CFG] added configuration 'con1000'
    Sep 20 08:14:55 charon 06[IKE] <con1000|10637>sending retransmit 5 of request message ID 0, seq 1
    Sep 20 08:14:55 charon 06[NET] <con1000|10637>sending packet: from pfsense[500] to fritzbox[500] (176 bytes)
    Sep 20 08:16:10 charon 15[IKE] <con1000|10637>giving up after 5 retransmits
    Sep 20 08:16:10 charon 15[IKE] <con1000|10637>establishing IKE_SA failed, peer not responding</con1000|10637></con1000|10637></con1000|10637></con1000|10637>

    Can you help me?

    Many thanks
    Best regards



  • Unfurtunetly i can't i'am sorry. Might be a problem with die indentifier. Try an change to E-Mailadress? You need to post your config incl. your IPSec advanse settings.

    The config works for me, i just set it up yesterday and the tunnel is up and running since then.



  • Hi,

    it works  :)

    I've try some changes at the identifier, now it works.

    Many thanks

    Best regards



  • Can you please show your configs on both sides?!

    Your welcome…



  • Of Course

    My Fritzbox has a dynamic IP so I use DynDNS for them

    Pfsense has a static IP address.

    Pfsense Configuration
    pfSense-Config

    VPN / IPsec /Tunnels / Edit Phase 1

    Disbaled = Unchecked
    General Information
    Key Exchange version = V1
    Internet Protocol  = IPV4
    Interface = WAN
    Remote Gateway = DYNDNS of FritzBox
    Description = "Name of VPN"

    Phase 1 Proposal (Authentication)
    Authentication Method = Mutual PSK
    Negotiation mode = Main
    My identifier = My IP adress
    Peer identifier = Distinguished name -> DYNDNS of FritzBox
    Pre-Shared Key = Preshared-Key

    Phase 1 Proposal (Algorithms)
    Encryption Algorithm = 3DES
    Hash Algorithm = SHA1
    DH Group = 1 (768 bit)
    Lifetime (Seconds) = 28800

    Advanced Options
    Disable rekey = Unchecked
    Responder Only = Unchecked
    NAT Traversal  = Force
    Dead Peer Detection = checked
    Delay = 10
    Max failures = 5

    VPN / IPsec / Tunnels / Edit Phase 2

    General Information
    Disabled = Unchecked
    Mode = Tunnel IPv4
    Local Network = LAN subnet
    NAT/BINAT translation = None
    Remote Network = Network -> Fritzboxnetwork (example 192.168.1.0 / 24)
    Description = "Name of VPN"

    Phase 2 Proposal (SA/Key Exchange)
    Protocol = ESP
    Encryption Algorithms = 3DES
    Hash Algorithms = SHA1
    PFS key group = 1 (786 bit)
    Lifetime = 3600

    Advanced Configuration
    Automatically ping host = IP-Adress of FritzBox

    FritzBox Configuration

    vpncfg {
            connections {
                    enabled = yes;
                    conn_type = conntype_lan;
                    name = "Name of VPN";
                    always_renew = yes;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = STATIC-IP of PFSENSE;
                    remote_virtualip = 0.0.0.0;
                    localid {
                            fqdn = "DYNDNS of FritzBox";
                    }
                    remoteid {
                            ipaddr = "STATIC-IP of PFSENSE";
                    }
                    mode = phase1_mode_idp;
                    phase1ss = "def/3des/sha";
                    keytype = connkeytype_pre_shared;
                    key = "Preshared-Key";
                    cert_do_server_auth = no;
                    use_nat_t = yes;
                    use_xauth = no;
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = Fritzboxnetwork;
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2remoteid {
                            ipnet {
                                    ipaddr = Pfsensenetwork;
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
                    accesslist = "permit ip any Pfsensenetwork 255.255.255.0";
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                                "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

    // EOF

    Best regards



  • Hi guys
    I have a similar problem
    connection is active
    but traffic exchange impossible
    how you want to configure PfSense for traffic exchange ???
    thx


Log in to reply