IPSec with Fritz!Box and multiple networks

• An AVM Fritz!Box is required

• The remote station equipped with a Securepoint appliance must have a static IP address

Importing a new firmware version

The manufacturer's homepage can be used to check whether new firmware is available for the Fritz!Box.

notempty

With older Fritz!Box firmware versions, not all encryption algorithms for IKEv1 are supported. Therefore, it is recommended to keep the firmware up to date.
For more information, see the section Adjust the configuration file.

Installing a new Fritz!Box firmware version

Before downloading the new firmware version from AVM's website, make sure that only firmware approved for the existing product can be used.

• The interface of the Fritz!Box is opened in the browser
  Factory setting: https://192.168.178.1
• Click on System ➊ → Update ➋ notempty
  If the Fritz!Box comes from a cable provider, this function is not available!
• In the dialog Fritz!OS-Version ➌ click on Search for new Fritz!OS ➍ to search online for an update, or in the dialog Fritz!OS-File ➎ import the downloaded firmware file.

Activate DynDNS

To be able to use a DynDNS in the VPN configuration, this function must be set up beforehand. This requires that an account with a DynDNS service provider is available (Use Securepoint Dynamic DNS Host ).

Activation of DynDNS in the Fritz!Box

• In the interface of the Fritz!Box open Internet ➊ → Permit Access  ➋
• Go to the DynDNS ➌ dialog
• Activation of the checkbox  Use DynDNS ➍
• Enter the login data of the DynDNS provider used:

Caption	Value	Description
Update-URL	https://update.spdyn.de/ne/update?...	The update-URL of the DynDNS provider
Domainname	d-vpn.spdns.de	The domain name for the Fritz!Box with the DynDNS provider
Username	d-vpn.spdns.org	The username of the account For spDyn with reseller account also the hostname
Password	****	The password of the account For spDyn with reseller account the token

• With the button Apply made changes are saved.

Change internal network

notempty

The following changes must be made when using the "Fritz!Remote Access Setup" program. See the following section Create VPN configuration.

The Securepoint Appliances and the Fritz!Box must not use the same IP network. By default, this is 192.168.178.0/24 for those.
This wiki article describes the modification of the IP network of the UTM.
According to the default settings of the Fritz!Box VPN Assistant, the factory-set internal network 192.168.178.0/24 may not be used for VPN.
Therefore, the internal network must be changed.

Configuration of the internal network of the Fritz!Box

• In the interface of the Fritz!Box open Home Network → Network→ Tab Network Settings.
• In the section IP Addresses click on the button IPv4 Settings
• The following can be found under Home Network:

Caption	Value	Description
IPv4 address	192.168.100.1	The new IPv4 address for the Fritz!Box
Subnet mask	255.255.255.0	The subnet mask for the new IPv4 address of the Fritz!Box
Select  Enable DHCP Server and enter the following:
from	192.168.100.20	The beginning of the span of the DHCP IPv4 addresses
to	192.168.100.200	The end of the span of DHCP IPv4 addresses.
Validity	10days	The validity of the DHCP IPv4 addresses

• With the button Apply made changes are saved. A new login to the new IP address of the Fritz!Box is then necessary

Create VPN configuration

Start screen of the Fritz!Remote Access Setup software

The configuration of the VPN connection is not done via the configuration interface in the browser, but is imported to the Fritz!Box as a file. The configuration file is created with an application software, which is downloaded from the website of the manufacturer AVM. The application software is called Configure Fritz!Box VPN Connection.

• Download and install the Configure Fritz!Box VPN Connection software
• Click on the icon New in the toolbar to create a new configuration file. Two files are always created, of which the fritzbox_fritz_lokal.spdyn.de.cfg file is required
  The required configuration file always starts with fritzbox_ and in addition the entered DynDNS name of the Fritz!Box from the 2nd setup step in the application software.
    

A wizard guides you through the creation of the configuration file:

Step 1

Select type of connection

• In the first step, select which devices are to be connected to each other
• Two devices should connect with each other. Activating  Configure a connection between two FRITZ!Box networks
• Next

Step 2

Enter spDyn domain (or other dynamic DNS service)

• First, the data of the local Fritz!Box are queried
• Specify the established spDyn URL of the local router

In this example: fritz_lokal.spdyn.de

• Next

Step 3

Enter internal network

• Enter the internal network of the local Fritz!Box and the corresponding subnet mask

The internal network of the Fritz!Box that is to be accessed via the VPN connection is set up.

The network that was set up under Change Internal Network}

• Click on Next

  

Alternatively, the entry "all/all/all" is also possible. Then the connection setup may take a little longer.

Step 4

Static IP address of the Securepoint appliance

• Afterwards the data of the remote station are queried
• Specify the fixed IP address of the Securepoint appliance

In this example: 192.0.2.192

• Next

Step 5

Internal network of the Securepoint appliance

• Enter the internal network of the Securepoint appliance and the corresponding subnet mask
• Next

Step 6

Show directory of files

• The data entry is finished
• In the next step decide whether to display or export the configuration files

Select the first point here

• Finish

The location of the files is displayed.

The created above configuration file is adjusted so that the VPN connection can be set up.
If a VPN connection of a Securepoint Appliance with a Fritz!Box already exists and further networks are to be connected with the Fritz!Box via VPN, then the existing configuration file can be used as a basis.
For each additional network, this connection must be entered in the configuration file.

If, for example, a UTM with the network 192.168.10.0/24 and a second UTM with the network 192.168.20.0/24 are to be connected to a Fritz!Box network 192.168.100.0/24 via VPN, an entry is made in the configuration file within the connections section for each network. In the following example using the file fritzbox_fritz_lokal.spdyn.de.cfg created above.
Entries marked in green are individual configurations.
Necessary manual changes are additionally marked with .

vpncfg {
    connections { // Start network of the 1st appliance
        enabled = yes;
        conn_type = conntype_lan;
        name = "Securepoint 1st connection"; //  Name of the connection in the configuration interface
        always_renew = yes; // Set to "no" if the connection is to be established only when needed and terminated when inactive
        reject_not_encrypted = no;
        dont_filter_netbios = yes;
        localip = 0.0.0.0;
        local_virtualip = 0.0.0.0;
        remoteip = 192.0.2.10; //  external IP address of the 1st appliance
        remote_virtualip = 0.0.0.0;
        localid {
            fqdn = "fritz_lokal.spdyn.de"; //  spdyn DNS name of the Fritz!Box
            //ipaddr = xxx.xxx.xxx.xxx;       // static IP address of the Fritz!Box, if available
        }
        remoteid {
            ipaddr = 192.0.2.10; //  external IP address of the 1st appliance
        }
        mode = phase1_mode_idp;               //  Main-Mode
        phase1ss = "dh15/aes/sha";            //  Proposals for Phase 1 (DH15, AES, SHA).
        keytype = connkeytype_pre_shared;
        key = "<shared passphrase>"; //  VPN Password (Preshared Key)
        cert_do_server_auth = no;
        use_nat_t = no; / yes;                //  Is a site behind a NAT router yes = yes; no = no; 
        use_xauth = no;
        use_cfgmode = no;
        phase2localid {
            ipnet {
                ipaddr = 192.168.100.0; //  internal network of the Fritz!Box
                mask = 255.255.255.0; //  corresponding net mask
            }
        }
        phase2remoteid {
            ipnet {
                ipaddr = 192.168.10.0; //  iternal Network of the 1st appliance
                mask = 255.255.255.0; //  corresponding net mask
            }
        }
        phase2ss = "esp-all-all/ah-none/comp-all/pfs";              //  with compression
        accesslist = "permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0";    //  internal network of the Fritz!Box and the first Securepoint appliance with respective network masks
    }  // End network of the 1st appliance 
    {  // Start network of the 2nd appliance 
        enabled = yes;
        conn_type = conntype_lan;
        name = "Securepoint 2nd connection"; //  Name of the connection in the configuration interface
        always_renew = yes; // Set to "no" if the connection is to be established only when needed and terminated when inactive
        reject_not_encrypted = no;
        dont_filter_netbios = yes;
        localip = 0.0.0.0;
        local_virtualip = 0.0.0.0;
        remoteip = 192.0.2.20; //  external IP address of the 2nd appliance
        remote_virtualip = 0.0.0.0;
        localid {
            fqdn = "fritz_lokal.spdyn.de"; //  spdyn DNS name of the Fritz!Box
            //ipaddr = xxx.xxx.xxx.xxx;       // static IP address of the Fritz!Box, if available
        }
        remoteid {
            ipaddr = 192.0.2.20; //  external IP address of the 2nd appliance
        }
        mode = phase1_mode_idp;               //  Main-Mode
        phase1ss = "dh15/aes/sha";            //  Proposals for Phase 1 (DH15, AES, SHA).
        keytype = connkeytype_pre_shared;
        key = "<shared passphrase>; //  VPN Password (Preshared Key)
        cert_do_server_auth = no;
        use_nat_t = no;
        use_xauth = no;
        use_cfgmode = no;
        phase2localid {
            ipnet {
                ipaddr = 192.168.100.0; //  internal network of the Fritz!Box
                mask = 255.255.255.0; //  corresponding net mask
            }
        }
        phase2remoteid {
            ipnet {
                ipaddr = 192.168.20.0; // 
                mask = 255.255.255.0; // 
            }
        }
        phase2ss = "esp-all-all/ah-none/comp-all/pfs";              //  with compression
        accesslist = "permit ip 192.168.100.0 255.255.255.0 192.168.20.0 255.255.255.0";    //  internal network of the Fritz!Box and the second Securepoint appliance with respective network masks
    } // End network of the 2nd appliance 
    ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                        "udp 0.0.0.0:4500 0.0.0.0:4500";
} //  
// EOF

The following parameters must be adjusted accordingly for each connection (here at the example of the 1st appliance):

Caption	Value	Description
name =	"Securepoint";	// Name of the connection in the configuration interface The name of the connection has been renamed to a unique term. This is displayed in the Fritz!Box configuration interface when the file has been imported.
remoteip =	192.0.2.10;	// external IP address of the 1st appliance This is the static IP address of the Securepoint appliance. Has already been configured in the wizard.
localid{    fqdn =	"fritz_lokal.spdyn.de";	// spdyn DNS name of the Fritz!Box Has already been configured in the wizard.
//ipaddr = }	xxx.xxx.xxx.xxx;	// static IP address of the Fritz!Box, if available An IP address can also be entered here if the Fritz!Box has a static IP address. These entries are also set by the wizard.
remoteid {    ipaddr = }	192.0.2.10;	// external IP address of the 1st appliance Re-entering the static IP address of the Securepoint appliance. Has already been configured in the wizard.
mode =	phase1_mode_idp;	// Main-Mode The transport mode must be changed from "aggressive" to "main", because only this mode is supported by the Securepoint software.
phase1ss =	"dh15/aes/sha";	// Proposals for Phase 1 (DH15, AES, SHA). The encryption parameters for IKE phase 1 must be adjusted. notempty Older Fritz!Box firmware versions only support AES 128 bits, SHA1 and DHA2.
key =	"shared passphrase";	// VPN Password (Preshared Key) Enter the preshared key.The preshared key generated by the wizard can also be used. This must then also be stored on the Securepoint appliance.
phase2localid {    ipnet {      ipaddr =      mask =   } }	192.168.100.0; 255.255.255.0;	// internal network of the Fritz!Box // Subnet mask Under phase2localid, the internal network of the Fritz!Box that is to be connected to the remote network must be specified.
phase2remoteid {    ipnet {      ipaddr =      mask =   } }	192.168.175.0; 255.255.255.0;	// iternal Network of the 1st appliance The internal network of the Securepoint appliance must be listed under phase2remoteid.
phase2ss =	"esp-all-all/ah-none/comp-all/pfs"	// with compression The encryption parameters for IKE phase 2 must be identical to those of phase 1. notempty Older Fritz!Box firmware versions only support AES 128 bits, SHA1 and DHA2. If "all/all/all" is entered in phase 1, "esp-all-all" can then be entered accordingly. With "ah-none" no authentication header is expected and with "comp-all" compression is supported.
accesslist =	"permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0";	// internal network of the Fritz!Box and the first Securepoint appliance with respective network masks

The so modified configuration file is saved again as fritzbox_fritz_lokal.spdyn.de.cfg.

Add additional networks

If further networks are to be added to the Securepoint appliance, the parameter accesslist is adapted accordingly in the configuration file.

Example 1

Example 1

The networks 192.168.82.0/24 to 192.168.92.0/24 should be reachable via VPN.
Thus, only the specified network mask is adjusted in the parameter accesslist:

accesslist = "permit ip any 192.168.82.0 255.255.240.0";

This releases the networks 192.168.80.0/24 to 192.168.95.0/24.

  

Example 2

Example 2

In addition to the network 192.168.175.0/24, the network 192.168.82.0/24 should also be reachable via VPN.
Thus, only the specified network mask is adjusted in the parameter accesslist:

accesslist = "permit ip any 192.168.175.0 255.255.255.0", "permit ip any 192.168.82.0 255.255.255.0";

Separate these entries with a comma and end with a semicolon.

  

Upload configuration file

Adding a VPN connection in the Fritz!Box

The user logs into the Fritz!Box interface. Through Internet ➊ → Permit Access ➋ → VPN (IPSec) ➌ the button Add VPN connection ➍ is clicked.

Selecting the type of VPN configuration in the Fritz!Box

In the VPN Connection window,  Import a VPN configuration from a VPN settings file ➎ is selected from the four setup options.
Continue with Next ➏.

Upload the configuration file to the Fritz!Box

Via the Browse... button ➐ the configuration file that was created is selected.
If the file is encrypted, this setting will be enabled. Under Password the password is then entered.
Finally, click on Apply ➑.
Under System → Results the connection establishment is logged.

Subsequently, the settings on the Securepoint appliance must be configured:

• A site-to-site IPSec connection is established. notempty
  Use IKE version 1 and the same preshared key as in the configuration file of the Fritz!Box
• If necessary, create a network object for the IPSec VPN network of the remote station and create the corresponding firewall rules, if they are not created automatically by the wizard
• Adjust the settings of the phases of the IPSec connection. notempty
  Use Phase 2 PFS

Establish IPSec S2S connection

Step 1 - Connection type Step 1 - Connection type
In step 1, the Site to Site - connection type is selected.			Setup step 1
Step 2 - General Step 2 - General
Caption	Value	Description	Setup step 2
Name:	IPSec Fritz!Box S2S	A suitable name for this connection
IKE Version:	IKE v1	For the IKE version select IKE version 1
Step 3 - Local Step 3 - Local
Local Gateway ID:	LAN1	The IP address or the interface of the Securepoint appliance that is to establish the VPN connection to the Fritz!Box.	Setup step 3
Authentication method	Pre-Shared Key	Select Pre-Shared Key
Pre-Shared Key:	**********	Enter the pre-shared key from the configuration file of the Fritz!Box.
Share networks:	» ✕192.168.175.0/24	The internally accessible network of the Securepoint appliance, as specified in the configuration file.
Step 4 - Remote station Step 4 - Remote station
Remote Gateway:	fritz_lokal.spdyn.de	Public IP address (or hostname that can be resolved via DNS) of the Fritz!Box	Setup step 4
Remote Gateway ID:	fritz_lokal.spdyn.de	ID configured on the Fritz!Box as the local ID (freely selectable string).
Share networks:	» ✕192.168.100.0/24	The local network of the Fritz!Box to be accessed via the VPN, as specified in the configuration file.

Configure IKEv1 phases

Phase 1 and phase 2 of IKEv1 should be reviewed and adjusted if necessary.
notempty

The settings must be identical to those from the configuration file created above.

notempty

If phase1ss = "all/all/all"; or phase2ss = "esp-all-all/[...]"; was entered in the configuration file, the default values are set in the Securepoint appliance for IKEv1 phase 1 or phase 2.

These default values are not supported by the Fritz!Box.

The manufacturer AVM informs which encryption methods and algorithms are supported by the Fritz!Box.

notempty

This process needs to be carried out for each Securepoint appliance.

Configure IKEv1 Phase 1
Under → VPN →IPSecTab Connections, click on Phase 1 for the created IPSec S2S connection and switch to the IKE tab in the Edit Phase 1 dialogue.
Caption	Value	Description	Configuration of phase 1 for IKEv1
Encryption:	aes256	Set aes256 as the encryption. Another encryption can also be selected.notempty If the Fritz!Box does not support the set encryption, select aes128.
Authentication:	sha2_512	Set sha2_512 as the authentication. A different one can also be selected. notempty If the Fritz!Box does not support the set authentication, select sha1.
Diffie-Hellman Group:	modp3072	Set 'modp3072' (DH15) as the Diffie-Hellman Group. notempty If the Fritz!Box does not support the set Diffie-Hellman Group, select modp1024 (DH2).
Show weak algorithms:	Off	Enabled On when weaker algorithms are required, such as for Authentication: sha1 and Diffie-Hellman Group: modp1024.
Strict:	Off	If On is activated, only the configured parameters and no other proposals are used.
IKE Lifetime:	1 hour Default	The IKE Lifetime can be adjusted.
Rekeying:	unlimited (recommended) Default	The number of rekeying can be adjusted.
The Save button applies any changes.
Configure IKEv1 Phase 2
Under → VPN →IPSecTab Connections, click on Phase 2 for the created IPSec S2S connection. notempty The set parameters must be identical to that of phase 1.
Caption	Value	Description	Configuration of phase 2 for IKEv1
Encryption:	aes256	Set aes256 as the encryption. Another encryption can also be selected.notempty If the Fritz!Box does not support the set encryption, select aes128.
Authentication:	sha2_512	Set sha2_512 as the authentication. A different one can also be selected. notempty If the Fritz!Box does not support the set authentication, select sha1.
Diffie-Hellman Group:	modp3072	Set 'modp3072' (DH15) as the Diffie-Hellman Group. notempty If the Fritz!Box does not support the set Diffie-Hellman Group, select modp1024 (DH2).
Show weak algorithms:	Off	Enabled On when weaker algorithms are required, such as for Authentication: sha1 and Diffie-Hellman Group: modp1024.
Key lifetime:	8 hours Default	The key lifetime can be adjusted.
Restart after abort:	Off	If On is activated, the connection is restored in the event of an unexpected termination.
DHCP:	Off	If On is activated, the clients receive IP addresses from a local network. This requires further configurations, see Wiki article on DHCP for IPSec.
The Save button applies any changes.

Firewall rule

The port filter rules of the firewall still need to be adjusted if they are not automatically generated by the wizard.
Implied rules
Via → Firewall →Implied RulesTab Rules the following rules must be active
Active	Rule		Activation of the required VPN rules
On	IPSec IKE
On	IPSec ESP
On	IPSec NAT Traversal
When On of the Implied rule group VPN is activated, all associated rules are enabled. notempty In principle, the following applies: Only release what is needed for the person who needs it.
Portfilter rule
Before a corresponding portfilter rule can be created, a network object must be created for the Fritz!Box network. Under → Firewall →PortfilterTab Network objects Button + Add object this network object is created
Caption	Value	Description	Creation of the Fritz!Box network object
Name:	IPSec-Fritz!Box	Freely selectable name for this network object
Type:	VPN network	Select VPN network
Address:	192.168.100.0/24	The internal network of the Fritz!Box
Zone:	vpn-ipsec	Select vpn-ipsec
Groups:		The network object can be assigned to one or more groups
Two port filter rules are created under → Firewall →PortfilterTab + Add Rule. A rule from the Securepoint appliance  internal-network to the internal network of the Fritz!Box  IPSec-Fritz!Box with the Service  ms-rdp This will select the NAT-type Hidenat-Exclude with the network object  external-interface A second rule from the Fritz!Box internal network  IPSec-Fritz!Box to the Securepoint appliance  internal-network with the Service  ms-rdp			The necessary port filter rules for the IPSec connection to the Fritz!Box