I spent hours of surfing the web and looking for a working solution to connect my IPFIRE with a FritzBox in another country.
The following solution is working so far, but I still did not get a reliable VoIP connection, so this should be seen at least as a good starting point.
In this example I use two hostnames which have to be different of course (dyndns, no-ip, ...):
IPFIRE: HOSTNAME-A
FritzBox: HOSTNAME-B
Behind the IPFIRE the subnet is 192.168.0.0/255.255.255.0, behind the FritzBox it's 192.168.10.0/255.255.255.0. For a secure connection, a long enough key has to be used. Here it is represented by the string PRESHAREDKEY.
Upload this VPN configuration to your FritzBox after modifying it for your own scenario:
/*
* BLABLABLA COMMENTARY
* Fri Mar 29 23:18:49 2013
*/
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "HOSTNAME-A";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "HOSTNAME-A";
localid {
fqdn = "HOSTNAME-B";
}
remoteid {
fqdn = "HOSTNAME-A";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "PRESHAREDKEY";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.0.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.0.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF
This file has to be uploaded to your IPFIRE in /var/ipfire/vpn/ and must be named ipsec.conf (you have to replace an existing one or modify it if you'd like to use more than one IPSEC connection):
version 2
config setup
charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0"
conn %default
keyingtries=%forever
include /etc/ipsec.user.conf
conn SAMMELBUDE
aggressive=yes
left=HOSTNAME-A
leftsubnet=192.168.0.0/24
leftfirewall=yes
lefthostaccess=yes
right=HOSTNAME-B
rightsubnet=192.168.10.0/24
rightallowany=yes
leftid="@HOSTNAME-A"
rightid="@HOSTNAME-B"
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024
keyexchange=ikev1
ikelifetime=1h
keylife=8h
compress=yes
dpddelay=30
dpdtimeout=120
dpdaction=none
authby=secret
auto=start
Do NOT use the GUI in the IPFIRE web interface for modifying this VPN connection or it will overwrite your config file.
After that, modify the ipsec.secrets file in the same path:
include /etc/ipsec.user.secrets
@HOSTNAME-A @HOSTNAME-B : PSK 'PRESHAREDKEY'
Finally this command should initiate the vpn connection between your IPFIRE's and FritzBox's subnets:
/etc/init.d/ipsec restart
This configuration example is garantueed to be working with IPFIRE core 67, a FritzBox 7390 FRITZ!OS 05.50 and StrongSwan 5.0.3RC1 (has to be updated manually, the already included version does not work) or higher on the IPFIRE.
Other FritzBoxes should run aswell. If you don't get any connection at all, you should check your IPFIRE's firewall (port 500 and 4500).