However, .... i tried to connect my Fritzbox (Fritz-6490 Cable - OS 07.10) to my Mikrotik Router via VPN (Site 2 Site) over Internet but failed now for several days. Now I tried the above script and have an establish connection but can't ping or get data from both sides.

What I'm doing wrong ? Do I need additional routes on both sides ? It looks a little bit like both side do not get an IP(?)

See below my latest config - is there something wrong in the IPSEC policy ?
Fritzbox = 192.168.1.1
Mikrotik = 192.168.88.1
Mikrotik over Internet IP = IPfROMmIKROTIK
Fritzbox over Internet IP = IPfROMfRITZBOX


/ip ipsec profile
set [ find default=yes ] dpd-interval=20s enc-algorithm=aes-256,3des
add dh-group=modp1024 enc-algorithm=aes-256 name=profile_TUNNEL
/ip ipsec peer
add address=IPfROMmIKROTIK exchange-mode=aggressive name=peer_TUNNEL profile=profile_TUNNEL
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,3des name=proposal_TUNNEL pfs-group=modp1024
/ip ipsec identity
add notrack-chain=prerouting peer=peer_TUNNEL secret=MYPRIVATEPASSWORD
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=peer_TUNNEL proposal=proposal_TUNNEL sa-dst-address=IPfROMfRITZBOX sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=yes


Kind Regards,
Vossi

Hi,

i recently installed a Fritzbox with Firmware Version 7.12 and built a site2site ipsec tunnel with a mikrotik device.

Please delete the pfs-group from your proposal as Fritzboxes are not able to make use of pfs in Phase 2.

Can you show us the output of /ip ipsec remote-peer as well as /ip ipsec installed-sa ?

Hi,

thank you for your reply.
Actually I deleted the script from the mikrotik (as I was not willing to have an vpn setup and not working).

I have a working l2tp connection(for my mobile) with my mobile to the mikrotik router and opened FW rules to enable ssh to the mikrotik.

Isn't there a script with the necessary entries you can share ?

Kind Regards,

Vossi

Hi,

can you check your firewall rules whether there are appropriate rules for ipsec policy in/out traffic? You should have something like

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec log-prefix=ip-sec-in
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec log-prefix=ip-sec-out

For me this was automatically added.

I have a slightly different setup (see viewtopic.php?f=2&t=156836) but my connection is working (unfortunately slow...).

Regards,
Daniel

Hi Daniel,

no I did'nt have that rules - adding them didn't solve my issue. Interesting script you've linked. Will try this next week when in front of the mikrotik. Giong to see how much speed I'll get (Fritz 400/40 - Mikrotik 100/20).

Kind Regards,

Vossi

It strongly depends on your MikroTik model, which you haven't revealed...
The old boxes like RB750r2 or RB2011 will not be able to do more than about 10 Mbps but for newer devices like RB750Gr3 and the 1100/3011/4011/CCR etc it will be no problem to saturate the connection.

If I get it working I'll see how fast my RBD52G-5HACD2HND will go but first need to get the connection mikrotik<->internet<->Fritzbox working ...

That one should be OK, see: https://mikrotik.com/product/hap_ac2#fndtn-testresults

Hello!

I am trying the same. Could u please send me a screenshot of the FritzBox Config? That is the strange part for me.

How have u fixed the dynamic ip adress problem?

BR

Holger

Hi,

I just created a Fritz Box LAN to LAN based on the AVM how-to:

https://avm.de/service/fritzbox/fritzbo ... inrichten/

Important:

• You need different subnets on both ends
• You need a native IPv4 connectivity (public IPv4 address) - DS lite does NOT work. I have on both ends IPv4 and IPv6 dual stack. In principle IPv4 on one end (receiver side) should work as well, but it did not work for me before my ISP upgraded me to dual stack.

Currently I'm using the myfritz service for dynDNS, but theoretically any other dynDNS service should work as well (did not test this yet, but might go for it once I upgraded to mikrotik on both ends).

If your mikrotik is behind a fritz box you need to delete all VPN configurations (site-to-site & user VPN connections - just disable them will NOT work) and set forwarding rules for UDP ports 500, 4500 and protocol ESP to your mikrotik. Furthermore add a static route on that fritz box for the remote network to your mikrotik (in Heimnetz->Netzwerk->Netzwerkseinstellungen->Statische Routingtabelle->IPv4-Routen)

Hi,

can you check your firewall rules whether there are appropriate rules for ipsec policy in/out traffic? You should have something like

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec log-prefix=ip-sec-in
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec log-prefix=ip-sec-out

For me this was automatically added.

I have a slightly different setup (see viewtopic.php?f=2&t=156836) but my connection is working (unfortunately slow...).

Regards,
Daniel

Well I tried, but getting massive errors. Peers not found, Aggressive DH mode not allowed twice and so on. I cant manage my vpn with your script as a 'standard'-user.

Vossi

Hi,

i recently installed a Fritzbox with Firmware Version 7.12 and built a site2site ipsec tunnel with a mikrotik device.

Please delete the pfs-group from your proposal as Fritzboxes are not able to make use of pfs in Phase 2.

Can you show us the output of /ip ipsec remote-peer as well as /ip ipsec installed-sa ?

Can't Fritzboxes use pfs in Phase 2?
I could not think of this at all.

Well finally - I got it working with my script posted first !!!

the only thing I changed was on the fritzbox vpn menu -> I always gave a name for the vpn there - without giving a name within the fritzbox menu connection is directly established and I can ping

for getting access to webpages (beside fritzbox) I had to add a route in mikrotik to the network (192.168.1.0/24)


What I'm missing now is to get this working also for other networks that I'm running behind the fritzbox (192.168.0.0/192.168.2.0/192.168.3.0). I have different network setup behind the fritz (all of them have a working internet access). How can I realize this from the mikrotik vpn Is there somewhere the possibility to make this possible ?

Kind Regards,

Vossi

ok, it's working now :

1 - adding Routes in mikrotik to the networks behind fritzbox
2 - creating for each Network a Policy

is this correct ?? Actually its not always showing an established PH2 State but I can ping and load webpages in this networks

Secondly what is the Status 'A' standing for ? as well as does this way slow down my fritzbox ? Any other solution ?

Hi,

thank you for your reply.
Actually I deleted the script from the mikrotik (as I was not willing to have an vpn setup and not working).


1. Log into the MikroTik router interface using the web browser or WinBox application, the IP address of the router is 192.168. 88.1 by default, login is admin with no password if haven't changed previously. 2. Go to "Interfaces" (left hand side menu), find you VPN connection.

Actually I do not understand what you are willing to say ?

the only thing I changed was on the fritzbox vpn menu -> I always gave a name for the vpn there - without giving a name within the fritzbox menu connection is directly established and I can ping

Vossi

Hey Vossi,

how did you manage this? My FB insists on filling the "Name of this VPN coonection" field.

Regards
HF

Hi,

Good question. Actually I’m not using this connection and amount of subnetworks anymore (now FRITZ!Box+Microtik - Mikrotik). I remember it was tricky but can’t remember the steps. It’s easier to bridge a port (FRITZ!Box) and using a second Microtik (however you need dual stack from your inet provider).


KR

the only thing I changed was on the fritzbox vpn menu -> I always gave a name for the vpn there - without giving a name within the fritzbox menu connection is directly established and I can ping

Vossi

Hey Vossi,

how did you manage this? My FB insists on filling the "Name of this VPN coonection" field.

Regards
HF