IPSec VPN with Fritzbox

I doesn't realy like Fritzbox's nor IPSec and myself I'm using a Netgear Router with Tomato and OpenVPN but I had to connect to this IPSec VPN from this Fritzbox 7170. I find Shrew IKE to do this and if you also want to connect to Fritzbox IPSec hear you can find out how did you get it to work. I used Arch Linux as IPSec Client.

First you have to configure you Fritzbox for a Client-to-Site VPN … and unfortunately this is only possible with the Windows Software to create the config. Hear the Link to the German AVM Site.

You find the shrew Client in the AUR (Arch User Repository). I only get to work the shrew-vpn-client-alpha 2.2.0-9 with an actual System.

• You will need some packages to make the shrew Client

 pacman -S fakeroot gcc flex bison cmake make; makepkg; pacman -U *.tar.xz

• All configs for VPN Connections have to be located in

~/.ike/sites

There are several way to create your config. The easiest is to install shrew on the Windows maschine you used to create you Fritzbox config and export it. AVM also have a Doku how to configure the Shrew client.
AVM Doku. There is also a perl script to convert a windows - to a linux config but it doesn't work for me, name is “vpnseter.pl”.

hear is my config (most of it ;)):

n:version:2
s:network-host:fritzbox.dyndns.org
n:network-ike-port:500
s:client-auto-mode:pull
n:network-mtu-size:1380
s:client-iface:virtual
n:client-addr-auto:1
s:network-natt-mode:enable
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:enable
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
s:auth-method:mutual-psk
s:ident-client-type:ufqdn
s:ident-server-type:address
s:ident-client-data:user@example.org
b:auth-mutual-psk:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
s:phase1-exchange:aggressive
n:phase1-dhgroup:2
s:phase1-cipher:aes
n:phase1-keylen:256
s:phase1-hash:sha1
n:phase1-life-secs:3600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
s:phase2-transform:esp-aes
n:phase2-keylen:256
s:phase2-hmac:sha1
s:ipcomp-transform:deflate
n:phase2-pfsgroup:2
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
s:policy-level:auto
n:policy-nailed:0
n:policy-list-auto:0
s:policy-list-include:192.168.187.0 / 255.255.255.0

• When you have your config on the right place you can connect

ikec -a -r host.dyndns.org

 
* This is the ike commandline with "c" you can connect

• With ubuntu I doesn't get it work. There was the problem that the tunnel was established, packages got to the fritzbox-net but on there way back they lost. Here is the german doku for Ubuntu.
• Perhaps you have to set some sysctl values, see Ubuntu Doku

• Ubuntu Wiki
• AVM