Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Information: IPSec Tunnel between Fritz Box 7490 and pfSense 2.1.5

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alfi1966
      last edited by

      Setting up a working IPSEC Tunnel between Fritz Box and pfSense

      I have been struggling quite some time to create a reliable VPN Tunnel between a Fritz Box 7490 (Firmware 6.20) and and a pfSense 2.1.5 firewall. Both have fixed IP adresses and both are facing the public internet directly.

      The problem I kept running into was the VPN clearing on a timeout every 61 minutes, even if traffic was passing through the tunnel. (Error message: VPN connection to VPN tunnel [tunnel name] has been cleared. Cause: 1 Lifetime expired

      Now that I finally managed to establish a perfect connection it is time to share some information for everyone struggling with the same problem. I will not go into the steps you have to take, they are described over and over everywhere, but I will provide you with  the connection setup itself . Fill in the x.x.x.x IP addresses in with your own IP adresses.

      The Fritz Box 7490 config file:

      vpncfg {
        connections {
          enabled = yes; // Duh!
          conn_type = conntype_lan;
          name = "[name of your tunnel]";
          always_renew = yes;
          reject_not_encrypted = no;
          dont_filter_netbios = yes;
          localip = 0.0.0.0;
          local_virtualip = 0.0.0.0;
          remoteip = x.x.x.x; // The private IP address of your pfSense LAN / DMZ or whatever you want to connect to.
          remote_virtualip = 0.0.0.0;
          remotehostname = "[x.x.x.x or fqdn]"; // the permanent hostname of the pfSense firewall
          keepalive_ip = x.x.x.x; //A private IP address on the remote end
          localid {
            ipaddr = x.x.x.x; // The permanent IP address of the FRITZ!Box
          }
          remoteid {
            ipaddr = x.x.x.x; // The permanent IP address of the pfSense box
          }
          mode = phase1_mode_aggressive;
          phase1ss = "def/3des/sha";
          keytype = connkeytype_pre_shared;
          key = "[your pre-defined shared secret]"; // the pre-shared key as configured in your pfSense config.
          cert_do_server_auth = no;
          use_nat_t = no;
          use_xauth = no;
          use_cfgmode = no;
          phase2localid {
            ipnet {
              ipaddr = x.x.x.x; // the subnet IP address of your FRITZ!Box - the default being 192.168.178.0
              mask = 255.255.255.0; // the subnet netmask of your FRITZ!Box - the default being 255.255.255.0
            }
          }
          phase2remoteid {
            ipnet {
              ipaddr = x.x.x.x; // the subnet IP address of your pfSense box - the default being 192.168.1.0
              mask = 255.255.255.0; // the subnet netmask of your pfSense box - the default being 255.255.255.0
            }
          }
          phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
          accesslist = "permit ip any 192.168.10.0 255.255.255.0"; // again, the subnet IP address and netmask of your pfSense box
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500";
      }
      The pfSense 2.1.5 setup:

      General information:

      • Internet protocol: IPV4
      • Interface: WAN
      • Remote Gateway: Public IP of the Fritz Box
      • Description: Choose a name for your VPN

      Phase One proposal:

      • Authentication Method: Mutual PSK
      • Negotiation mode: Agressive
      • My Identifier: My IP address
      • Peer Identifier: IP Address x.x.x.x [Public IP address Fritz Box]
      • Pre shared Key: [Your pre-defined shared secret]
      • Policy Generation: Default
      • Proposal Checking: Default
      • Encryption Algorithm: 3DES
      • Hash Algorithm: SHA1
      • DH Key Group: 1 (768 bit)
      • Lifetime: 3600

      Advanced Options:

      • Nat Traversal: Disable
      • Dead peer detection: Enable
      • Dead peer detection: 10 seconds
      • Dead peer detection: 5 retries

      Phase 2

      • Mode: Tunnel IPv4
      • Local Network: [pfsense network address of the interface you want your VPN traffic to pass to]
      • Local Network NAT: None
      • Remote Network: Network
      • Remote Network: [Remote private subnet behind the Fritz Box]
      • Description: [Your preferred name for this entry]

      Phase 2 proposal (SA / Key Exchange)

      • Protocol: ESP
      • Encryption Algorithms: AES 256 / 3DES
      • Hash Algorithms: SHA1
      • PFS key group: 1
      • Lifetime: 3600

      Advanced options

      • Auto ping host: x.x.x.x [Private IP on Fritz Box side of the Tunnel]

      That’s it. For me this VPN stays up indefenitly (General connection failures excluded of course). Hope it helps someone.

      1 Reply Last reply Reply Quote 0
      • A
        agreen
        last edited by

        i have the same problem …
        if the pfsense open the vpn tunnel it works ... but if the fritzbox 7490 open the connection the tunnel dont works ...

        the same config with older fritzbox works very good

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.