Evening

I've searched a long time on goolge to find any answers...but seems 99% of the users are unsuccessful or unwilling to share their success....

Anyone ever had a successful site2site ipsec connection to a Fritzbox router?
Tried all configuration I could find on the internet...but no one is working...

The ipsec log just say first "succeeded" and then "received unexpected payload type 11"...

Is it so much more complicated then setting up site2site vpn on junos?
There it was just 4 lines of configuration to get the vpn to a fritzbox up and running...

Why doesn't Mikrotik supply sample configuration...or like Juniper...an online vpn configuration tool?

It worked for me once. I was helping someone to configure their new FritzBox router(*) and among other things I briefly tested VPN. They don't make it easy to use with something else, at first sight it's not even apparent that it's IPSec, they have own Windows client, some "magic" program for creating configuration, and they don't show any technical details anywhere (I hope I'm not being unfair, I didn't have too much time to play with it). Anyway, after some trial and error, I was able to connect to that from RouterOS. I can't test it anymore, but these are leftovers from that experiment from my test router: No guarantees, but it worked once (and I didn't try again).

(*) The whole experience was horrible. I guess they want to be user friendly, but I couldn't configure almost anything. Second IP address, impossible. Forwarded port limited to selected source addresses, impossible. And everything was sooooo convoluted. Since then, I like RouterOS even more than I did before.

Not much luck yet....

What do you mean by "Second IP address, impossible"....

The Fritzbox has already a site2site vpn connection open to my old configuration....and I use now a second cablemodem with a different public IP to test VPN from RouterOS to Fritzbox...

Whole last paragraph was just rant about FritzBox and how I couldn't do even simple things with it. Not related to your IPSec. Let's just say that it made a deep impression on me. It almost haunts me and sometimes I feel the need to talk about it. And second address, owner wanted two public addresses and ISP was willing to route the other one, but FritzBox either doesn't support that, or it's extremely well hidden.

About your problem, I'm sorry, that piece of config is all I got.

Well maybe I am getting closer...had the source and destination IP wrong in the policy settings...used external IP instead of internal prefix...

Also auth-method in cli isn't recognized...so couldn't actually use your config snippet totally...

Worst case would be to put Fritzbox in bridge mode and put a routerboard with wifi there...maybe mikrotik to mikrotik ipsec would be easier?

I was surprised how easy it was with Juniper SRX...no need to upload a special vpn config to Fritzbox..
but sadly flash memory was getting corrupt and caused ike daemon to quit suddenly from time to time.

One thing, when I first tried that, I used my home router, which has quite outdated RouterOS and it didn't work. Newer version (I think 6.42.x, but I'm not sure) did work.

Well my current setup is an APU2D4 running ipfire instead of opnsense due to performance and ipsec issues in opnsense.

What I like about RouterOS is that it supports to be used as an XAUTH ipsec client...though havent figured out yet how to route specific traffic to a specific vpn server....

Currently running latest 6.44.1 version....

There's a lot of IPSec changes in 6.44, but I didn't have time yet to examine all details. You already found missing auth-method option, so you'll have to figure out what exactly changed and how it's done now.

BTW...did you upload a special vpn configuration to the fritzbox or just used the gui to setup the vpn?

For ipfire I had to upload a special config and use in ipfire the settings like in the screenshot:

Hmm..this is odd...

RouterOS tells me that the VPN is established...also Fritzbox shows as connected and displays local and remote prefix correctly...
Just no connection is possible....
Do I need to a static route on the RouterOS side?

Maybe the remote site isn't reachable as in the ipsec policy tunnel is checked and I can't uncheck it?

If I want to uncheck it I get:
What ever that means (o;

Stupid me (o;

Needed to check "NAT traversal" in the profile

So after all it is easy to setup an ipsec vpn between router os and fritzbox...

On fritzbox just create a new lan2lan vpn, no need to upload any fancy configuration...

On routeros side:

VPN proposal:
VPN profile:

Congratulations.

When I got to that thing I tested, it was already half-configured. I don't remember exactly where I got any info at all, maybe there was some config to download in admin interface? Or maybe it was the configuration program, I had that, but I know I didn't change the router config, so maybe I just generated new one on my computer and read some parameters from that. I'm really not sure. But it wasn't lan2lan, it was supposed to be VPN for users (road warrior type).

Was too early with marking as "solved" (o;

This morning the VPN was gone...though under the "profile" tab is still showed "PH2 state" as established...just no reachability to the other site...
Rebooting the RB750Gr-3 and the VPN was back up running.

Maybe I really have to downgrade to latest long-term version...


Ah BTW: How can I extract the current VPN relevant configuration pieces so I can sanitize it and make it public here for others?

You can export config using "export" command in Terminal. Do it on root level and you'll get all. Do it in "/ip ipsec" and you'll get only that.

Ah great...thanks....

Doing another test first as this morning the vpn went down again after around 78 minutes....
Added now DPD as before it was disabled....

So far still running now for over 90 minutes...

Think this was it

Had to reduce DPD to 20 seconds interval....pinging the remote site in 1 minute interval since 2487 minutes

Was only unreachable when DSL was disconnected in the morning by provider and when I rebooted the router several times or power-cycled.

Think this is considered finally as solved (o;

Okay..it is not....

After the remote site was down for few hours during the night the vpn has gone...though RouterOS still shows PH2 State as established!

Only a reboot of the router helps...or clicking in the policy and click OK then...

On my ipfire box the vpn connection was reestablished after the dsl outage....

Hello,
i have been tryin to get this working, but no way.
I have the Ipsec tunnel marked as established but no data, ping, what ever is working.
It's a side to side Ipsec, what else can I do?

# dec/07/2019 13:21:56 by RouterOS 6.45.7
# software id = L3J2-Q39M
#
# model = RB760iGS
# serial number = xxxxxxxxxxxxxxx
/ip ipsec profile
set [ find default=yes ] dpd-interval=20s enc-algorithm=aes-256,3des
add dh-group=modp1024 enc-algorithm=aes-256 name=profile_barssel
/ip ipsec peer
add address=hostname.myfritz.net exchange-mode=aggressive name=peer_barssel profile=profile_barssel
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,3des name=proposal_barssel pfs-group=modp2048
/ip ipsec identity
add notrack-chain=prerouting peer=peer_barssel secret=password
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=peer_barssel proposal=proposal_barssel sa-dst-address=91.248.41.186 sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yes


# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS
0 R established 34m30s 1 91.248.41.xxx


Fritz Version is 7.12

Regards Buelo

Hello,
got it working!

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,3des name=proposal_barssel pfs-group=modp2048

The Problem was the pfs-group=modp2048, it has to be 1024.

Regards Buelo

Okay..it is not....

After the remote site was down for few hours during the night the vpn has gone...though RouterOS still shows PH2 State as established!

Only a reboot of the router helps...or clicking in the policy and click OK then...

On my ipfire box the vpn connection was reestablished after the dsl outage....

could you be so nice and post the config? Iam Stuck with 6.45.8 and FB7590 OS7.21