VPN between a Fritz!Box Fon and racoon/BSD

Fritzbox is an nice WLAN,DSL/VoIP/DECT router from AVM with VPN capabilities. They have a VPN information page but no Information on setting up a VPN to the Kame IPsec stack. To my understanding the Stack is used in OpenBSD, NetBSD and FReeBSD and in some Linux Distributions.

I’ll setup a VPN between a BSD router with a static IP Address and the Fritz!Box with a dynamically changing IP. Sometimes this is called a „road warrior“ setup.

Get a Dyndns.org name for your Fritzbox and configure it.

First you need a configuration file for the Fritzbox. Replace A.B.C.D with the IP of your gateway. Also replace the key with something more secret. phase2localid needs to describe the local net of the Fritzbox. accesslist needs to be the remote (BSD) network. Put your Dyndns Name into localid { fqdn }.

 * C:fritzbox_kame.cfg 
 * Thu Sep 24 23:36:34 CEST 2009
vpncfg { 
        connections { 
                enabled = yes; 
                conn_type = conntype_lan; 
                name = "BSD";
                always_renew = no; 
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip =; 
                local_virtualip =; 
                remoteip = A.B.C.D; 
                remote_virtualip =; 
                localid { 
                        fqdn = "example.ath.cx"; 
                remoteid { 
                        fqdn = "A.B.C.D"; 
                mode = phase1_mode_aggressive; 
                phase1ss = "all/all/all"; 
                keytype = connkeytype_pre_shared; 
                key = "sekritt";
                cert_do_server_auth = no; 
                use_nat_t = no; 
                use_xauth = no; 
                use_cfgmode = no; 
                phase2localid { 
                        ipnet { 
                                ipaddr =; 
                                mask =; 
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; 
                accesslist = "permit ip any";
        ike_forward_rules = "udp", 

Now you have to set up your Unix Box. I used FreeBSD but to my understanding it’s the same with OpenBSD and probably also with some Linux Variants and NetBSD. You need to install ipsec-tools and racoon. They might come in two packages or in one or might be already installed. On my FreeBSD box I added something like this in /etc/rc.conf:

racoon_flags="-l /var/log/racoon.log"

Next thing is to save your IPsec „shared secret“ (Password) somewhere:

echo "example.ath.cx sekritt" > /usr/local/etc/racoon/psk.txt

The last Part missing is /usr/local/etc/racoon/racoon.conf:

# racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log info; # notify info debug;
padding {
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
listen { isakmp A.B.C.D [500]; # add your public IP here }
timer {
        counter 5;            
        interval 20 sec;    
        persend 1;           
        phase1 30 sec;
        phase2 15 sec;
remote anonymous { # we don't know the peers IP during phase 1
        exchange_mode main, aggressive;
        nonce_size 16;
        lifetime time 140 min;   # sec,min,hour
        initial_contact on;
        proposal_check obey;    # obey, strict or claim
        support_proxy on;
        ike_frag on;
        weak_phase1_check on;
        # important for automatically configuring 
        # the Security Policy Database (SPD) 
        generate_policy on; 
        passive on;
        # Fritz!box
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
 # local net - Fritz net
sainfo address any address any {
	pfs_group 2;
	lifetime time 8 hour;
	encryption_algorithm aes, 3des, des;
	authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5 ;
	compression_algorithm deflate;

If you use pf for Packet Filtering you need something like this in /etc/pf.conf:

pass on $ext_if proto udp from any port 500 to A.B.C.D port 500 keep state
pass on $ext_if proto udp from A.B.C.D port 500 to any keep state
pass quick on $ext_if proto { esp ah ipencap } from any to A.B.C.D
pass quick on $ext_if proto { esp ah ipencap } from A.B.C.D to any

This Configuration still has issues but works.

One comment on “VPN between a Fritz!Box Fon and racoon/BSD

  1. proxy hide
    2010-08-27 at 16:04 #

    I dont think the problem is your router. Those linksys routers dont really do any packet filtering. My guess is the problem lies in the access restrictions on the Cisco VPN. I’m not exactly sure of your connection type, but the four computers on your router could be broadcasting the same IP, perhaps the VPN cant distinguish between the pcs on the network.

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:


Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s