IPSec - Fritz!Box with UTM

• An AVM Fritz!Box is required

• The remote station equipped with a Securepoint appliance must have a static IP address

The manufacturer's homepage can be used to check whether new firmware is available for the Fritz!Box.

Firmware Update: Show details

Installing a new Fritz!Box firmware version

Before downloading the new firmware version from AVM's website, make sure that only firmware approved for the existing product can be used.

• The interface of the Fritz!Box is opened in the browser
  Factory setting: https://192.168.178.1
• Click on System ➊ → Update ➋ notempty
  If the Fritz!Box comes from a cable provider, this function is not available!
• In the dialog Fritz!OS-Version ➌ click on Search for new Fritz!OS ➍ to search online for an update, or in the dialog Fritz!OS-File ➎ import the downloaded firmware file.

To be able to use a DynDNS in the VPN configuration, this function must be set up beforehand. This requires that an account with a DynDNS service provider is available (Use Securepoint Dynamic DNS Host ).

Activation of DynDNS in the Fritz!Box

• In the interface of the Fritz!Box open Internet ➊ Permit Access ➋
• Go to the DynDNS ➌ dialog
• Activation of the checkbox  Use DynDNS ➍
• Enter the login data of the DynDNS provider used:

• With the button Apply made changes are saved.

Configuring the internal network of the Fritz!Box

• In the interface of the Fritz!Box go to Home network → Network and switch to the dialog Network Settings
• In the IP Addresses section, click the IPv4 Settings button.
• Enter the following under Home network:

• With the button Apply made changes are saved. A new login to the new IP address of the Fritz!Box is then necessary

Start screen of the Set up Fritz!Remote access software

The configuration of the VPN connection is not done via the configuration interface in the browser, but is imported to the Fritz!Box as a file. The configuration file is created with an application software, which is downloaded from the website of the manufacturer AVM. The application software is called Configure Fritz!Box VPN Connection.

Show instructions to create VPN configuration

• Download and install the Configure Fritz!Box VPN Connection software
• Click on the icon New in the toolbar to create a new configuration file. Two files are always created, of which the fritzbox_fritz_lokal.spdyn.de.cfg file is required
  ‍

  The required configuration file always starts with fritzbox_ and in addition the entered DynDNS name of the Fritz!Box from the 2nd setup step in the application software.

A wizard guides you through the creation of the configuration file:

Step 1

Select type of connection

• In the first step, select which devices are to be connected to each other
• Two devices should connect with each other. Activating  Configure a connection between two FRITZ!Box networks
• Next

Step 2

Enter spDyn domain (or other dynamic DNS service)

• First, the data of the local Fritz!Box are queried
• Specify the established spDyn URL of the local router

In this example: fritz_lokal.spdyn.de

• Next

Step 3

Enter internal network

• Enter the internal network of the local Fritz!Box and the corresponding subnet mask

The internal network of the Fritz!Box that is to be accessed via the VPN connection is set up.

‍

The network that was set up under Change Internal Network

• Click on Next

Step 4

Static IP address of the Securepoint appliance

• Afterwards the data of the remote station are queried
• Specify the fixed IP address of the Securepoint appliance

In this example: 192.0.2.192

• Next

Step 5

Internal network of the Securepoint appliance

• Enter the internal network of the Securepoint appliance and the corresponding subnet mask
• Next

Step 6

Show directory of files

• The data entry is finished
• In the next step decide whether to display or export the configuration files

Select the first point here

• Finish

The location of the files is displayed.

Two files are created by the wizard, only one is imported into the Fritz!Box. In this example, this is the file: fritzbox_fritz_lokal.spdyn.de.cfg.

‍

The required configuration file always starts with fritzbox_ and in addition the entered DynDNS name of the Fritz!Box from the 2nd setup step in the application software.

notempty

This configuration file still has to be adapted so that a connection to the Securepoint appliance can be established.

• Open this file in any editor

The configuration file created above will be adjusted.
Entries marked in green are individual configurations.
Necessary manual changes are additionally marked with .

vpncfg {
    connections {
        enabled = yes;
        conn_type = conntype_lan;
        name =  "Securepoint";              //  Name of the connection in the configuration interface
        always_renew = yes;
        reject_not_encrypted = no;
        dont_filter_netbios = yes;
        localip = 0.0.0.0;
        local_virtualip = 0.0.0.0;
        remoteip = 192.0.2.192;               // static IP address of the Securepoint appliance
        remote_virtualip = 0.0.0.0;
        localid {
            fqdn = "fritz_lokal.spdyn.de";    // spdyn DNS name of the Fritz!Box
            //ipaddr = xxx.xxx.xxx.xxx;       // static IP address of the Fritz!Box, if available
        }
        remoteid {
            ipaddr = 192.0.2.192;             // static IP address of the Securepoint appliance
        } 
        mode = phase1_mode_idp;               //  Main-Mode
        phase1ss = "dh15/aes/sha";            //  Proposals for Phase 1 (DH15, AES, SHA).
        keytype = connkeytype_pre_shared;
        key = "secret";                       //  VPN Password (Preshared Key)
        cert_do_server_auth = no;
        use_nat_t = no; / yes;                //  Is a site behind a NAT router yes = yes; no = no; 
        use_xauth = no;
        use_cfgmode = no;
        phase2localid {
            ipnet {
                ipaddr =  192.168.100.0;      // internal network of the Fritz!Box
                mask = 255.255.255.0;
            }
        }
        phase2remoteid {
            ipnet {
                ipaddr = 192.168.175.0;       //  internal network of the Securepoint appliance
                mask = 255.255.255.0;
            }
        }
        phase2ss =  "esp-all-all/ah-none/comp-all/pfs";              //  with compression
        accesslist = "permit ip any 192.168.175.0 255.255.255.0";    //  internal network of the Securepoint appliance
    } 
    ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                        "udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF

Explanation of changes and settings

Caption	Value	Description
name =	"Securepoint";	// Name of the connection in the configuration interface The name of the connection has been renamed to a unique term. This is displayed in the Fritz!Box configuration interface when the file has been imported.
remoteip =	192.0.2.192;	// static IP address of the Securepoint appliance This is the static IP address of the Securepoint appliance. Has already been configured in the wizard.
localid{    fqdn =	"fritz_lokal.spdyn.de";	// spdyn DNS name of the Fritz!Box Has already been configured in the wizard.
//ipaddr = }	xxx.xxx.xxx.xxx;	// static IP address of the Fritz!Box, if available An IP address can also be entered here if the Fritz!Box has a static IP address. These entries are also set by the wizard.
remoteid {    ipaddr = }	192.0.2.192;	// static IP address of the Securepoint appliance Re-entering the static IP address of the Securepoint appliance. Has already been configured in the wizard.
mode =	phase1_mode_idp;	// Main-Mode The transport mode must be changed from "aggressive" to "main", because only this mode is supported by the Securepoint software.
phase1ss =	"dh15/aes/sha";	// Proposals for Phase 1 (DH15, AES, SHA). The encryption parameters for IKE phase 1 must be adjusted. notempty Older Fritz!Box firmware versions only support AES 128 bits, SHA1 and DHA2.
key =	"secret";	// VPN Password (Preshared Key) Enter the preshared key.The preshared key generated by the wizard can also be used. This must then also be stored on the Securepoint appliance.
phase2localid {    ipnet {      ipaddr =      mask =   } }	192.168.100.0; 255.255.255.0;	// internal network of the Fritz!Box // Subnet mask Under phase2localid, the internal network of the Fritz!Box that is to be connected to the remote network must be specified.
phase2remoteid {    ipnet {      ipaddr =      mask =   } }	192.168.175.0; 255.255.255.0;	// internal network of the Securepoint appliance The internal network of the Securepoint appliance must be listed under phase2remoteid.
phase2ss =	"esp-all-all/ah-none/comp-all/pfs"	// with compression The encryption parameters for IKE phase 2 must be identical to those for phase 1. notempty Older Fritz!Box firmware versions only support AES 128 bits, SHA1 and DH2. If "all/all/all" is entered in phase 1, "esp-all-all" can then be entered accordingly. With "ah-none" no authentication header is expected and with "comp-all" compression is supported.
accesslist =	"permit ip any 192.168.175.0 255.255.255.0";	// internal network of the Securepoint appliance

The so modified configuration file is saved again as fritzbox_fritz_lokal.spdyn.de.cfg.

Add additional networks

If further networks are to be added to the Securepoint appliance, the parameter accesslist in the configuration file is adjusted accordingly.

Example 1

Example 1

The networks 192.168.82.0/24 to 192.168.92.0/24 should be accessible via VPN.
This means that only the specified network mask is adjusted in the accesslist parameter:

accesslist = "permit ip any 192.168.82.0 255.255.240.0";

‍

This enables the networks 192.168.80.0/24 to 192.168.95.0/24.

Example 2

Example 2

In addition to the network 192.168.175.0/24, the network 192.168.82.0/24 should also be accessible via VPN.
This additional network is added in the accesslist parameter:

accesslist = "permit ip any 192.168.175.0 255.255.255.0", "permit ip any 192.168.82.0 255.255.255.0";

‍

Separate these entries with a comma and end with a semicolon.

Upload configuration file

Adding a VPN connection in the Fritz!Box

In the logged-in Interace of the Fritz!Box, Internet ➊ → Permit Access ➋ → VPN (IPSec) ➌ on the Add VPN Connection ➍ is clicked.

Selecting the type of VPN configuration in the Fritz!Box

In the VPN Connection window,  Import a VPN configuration from a VPN settings file ➎ is selected from the four setup options.
Continue with Next ➏.

Upload the configuration file in the Fritz!Box

Via the Browse... button ➐ the configuration file that was created is selected.
If the file is encrypted, this setting will be enabled. Under Password the password is then entered.
Finally, click on Apply ➑.

Under System → Event Log the connection establishment is logged.

Subsequently, the settings on the Securepoint appliance must be configured:

• A site-to-site IPSec connection is established. notempty
  Use IKE version 1 and the same preshared key as in the configuration file of the Fritz!Box
• If necessary, create a network object for the IPSec VPN network of the remote station and create the corresponding firewall rules, if they are not created automatically by the wizard
• Adjust the settings of the phases of the IPSec connection. notempty
  Use Phase 2 PFS