I have a RB450 and RB433 connected by an IPSEC tunnel for some time now. Everything is working fine and now I want to setup an IPSEC tunnel from the RB450 to a FritzBox.
The tunnel comes up fine, no errors in the RB or FritzBox logs, but I'm unable to get traffic over the tunnel. NAT rule is in place for the remote subnet and all IPSEC settings match the settings of the tunnel to the other RB (which is running fine).
Tried Main and Aggressive mode, different encryptions, and every time the tunnel comes up fine, but no traffic through the tunnel.
Does anyone have experience with a VPN tunnel to a FritzBox, or know a good way to troubleshoot this?
Re: IPSEC tunnel to FritzBox
Please post here IPSec configurations and installed-SA.
Re: IPSEC tunnel to FritzBox
Hi Mischa,
did you ever figure out how to get this to work? Just trying to set up the same and stumbled across your question. I'd appreciate if you would share your success story.
Cheers,
Christian
did you ever figure out how to get this to work? Just trying to set up the same and stumbled across your question. I'd appreciate if you would share your success story.
Cheers,
Christian
Re: IPSEC tunnel to FritzBox
Hi,
i am also interested in some configuration examples.
greetings,
markus
i am also interested in some configuration examples.
greetings,
markus
Re: IPSEC tunnel to FritzBox
Hi,
have this problem too .... anyone with some tips?
Thanks
have this problem too .... anyone with some tips?
Thanks
Re: IPSEC tunnel to FritzBox
Please explain us how you setup your network and router configurations. Without your detail information, no one can help you on this matter.Hi,
have this problem too .... anyone with some tips?
Thanks
Re: IPSEC tunnel to FritzBox
I have traffic flowing over my tunnel between a FritzBox 7360 with FritzOS 6.20 and a Mikrotik RB2011UiAS-2HnD with RouterOS 6.27.
I am however having connection issues. Sometimes I can't connect to any host behind the FritzBox from the Mikrotik side. I am still trying to figure out what is going on.
That being said, my latest config, that seems to be working out pretty well so far is as follows:
This link provides details with regards to the VPN config file for the FritzBox.
In addition, AVM has provided a list of options for both the phase1ss and the phase2sss parameters in the config file.
On the mikrotik side, I've used the following setup:
Policy
Peer
Proposal
Note that I've put the fritzbox in charge of creating the connection ("send-initial-contact=no" in the peer setup). It seems that in my case, it works best if I let the fritzbox initiate the connection. If the Mikrotik initiates the connection, I run into problems about 30 minutes in (pings start dropping). I haven't figured out why this happens.
I am however having connection issues. Sometimes I can't connect to any host behind the FritzBox from the Mikrotik side. I am still trying to figure out what is going on.
That being said, my latest config, that seems to be working out pretty well so far is as follows:
Code: Select all
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "[Name of the VPN connection in the FritzOS interface]";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "[remote.host.name]";
localid {
fqdn = "[local.host.name]";
}
remoteid {
fqdn = "[remote.host.name]";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "[supersecretkey]";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.0.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.0.20.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 10.0.20.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
In addition, AVM has provided a list of options for both the phase1ss and the phase2sss parameters in the config file.
On the mikrotik side, I've used the following setup:
Policy
Code: Select all
/ip ipsec policy add action=encrypt disable=no dst-address=10.0.10.0/8 dst-port=any group=default ipsec-protocol=esp level=required proposal=fritzbox sa-dst-address=1.2.3.4 sa-src-address=4.3.2.1 src-address=10.0.20.0/8 src-port=any template=yes tunnel=yes
Code: Select all
/ip ipsec peer add address=1.2.3.4 auth-method=pre-shared-key dh-group=modp1024 disabled=no enc-algorithm=aes-256 exchange-mode=aggressive generate-policy=no hash-algorithm=sha1 port=500 proposal-check=obey secret="[supersecretkey]" send-initial-contact=no
Code: Select all
/ip ipsec proposal add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name="fritzbox" pfs-group=modp1024
Re: IPSEC tunnel to FritzBox
In my experience, in some cases it happens, when ipsec between Mikrotik and Cisco /Linksys/. I believe below should solve your issue too.
1. Phase2 life time should be less than Phase1 always.
2. Exactly same Phase times on each routers.
3. Enable Deed-Peer-Detection
4. Configure scheduled ping to remote side for example every 5 minutes
Let me know it helps or not.
1. Phase2 life time should be less than Phase1 always.
2. Exactly same Phase times on each routers.
3. Enable Deed-Peer-Detection
4. Configure scheduled ping to remote side for example every 5 minutes
Let me know it helps or not.
Re: IPSEC tunnel to FritzBox
Hello,
I have been able to run VPN Ipsec between Fritzbox and Mikrotik, see this thread : http://forum.mikrotik.com/viewtopic.php?f=2&t=71987
I have been able to run VPN Ipsec between Fritzbox and Mikrotik, see this thread : http://forum.mikrotik.com/viewtopic.php?f=2&t=71987