↓ Archives ↓

VPN (IPsec) tunnel between a pfSense 2.0 router and a FRITZ!Box

We have a pfSense 2.0 router at our coworking space which is hooked up to a pretty fast VDSL line so I thought it would be a fun idea to connect my home network (where I’m using a FRITZ!Box 7390) to the work LAN using a secure and permenent VPN tunnel.

Doing a quick Google search yields results for the 1.2 version of pfSense which is outdated and does not use DynDNS hostnames for both ends, so I did a quick writeup of my own.

Prerequisites

First things first, create permanent hostnames for your pfSense and your FRITZ!Box. If your DSL provider has assigned permanent IP addresses, that’s fine. If they didn’t you’ll probably need something like DynDNS. Last time I checked, you could still get free accounts, otherwise it’s just a few bucks a year – probably a good investment. You’ll need to configure both the pfSense and the FRITZ!Box to update your DynDNS hosts whenever their IP address changes, but that’s pretty straight forward so I won’t cover it here. Fun fact: you can add CNAME records to your company domain pointing to your DynDNS host, so it looks even more professional. We use vpn.launchco.com for instance – how cool is that?

You’ll also need two different primary subnets for your networks, i.e. if your home network lives in 192.168.178.0/24, which is the standard network a FRITZ!Box uses, your work network has to use something else, like 192.168.1.0/24, which is by the way the standard that pfSense uses – so you should be safe if you’re like me a big fan of sticking with sensible vendor defaults.

Now, with the permanent hostnames and subnets in place, let’s get down to business.

Setting up pfSense

We’re using IPsec, so let’s head to VPN -> IPsec first and click the [+] icon on the bottom right to add a new phase 1 entry.

Fill the form in accordance to what you see on the following screenshot:

Screenshot of pfSense configuration phase 1 entry

Obviously, replace your-fritz.dyndns.org with the permanent hostname assigned to your FRITZ!Box as well as your-pfsense.dyndns.org with the one on your pfSense box. The Pre-Shared Key should be a long random string. Don’t worry, you won’t have to remember it. You’ll just save that in the FRITZ!Box later and then you can forget about it.

Next up, we need a phase 2 entry. For that, click the [+] icon next to a label that says Show 0 Phase-2 entries and fill the form like below:

Screenshot of pfSense configuration phase 2 entry

Here, you just need to make sure that you replace 192.168.178.0 with the actual subnet your FRITZ!Box uses. Again, if you’ve sticked with the default when setting up the box, this setting should be right for you.

That should be it for the pfSense. After saving it’ll probably ask you to apply or reload the configuration. This is safe to do now.

Setting up the FRITZ!Box

Now, let’s finish this by configuring a VPN entry in your FRITZ!Box. From my perspective, this part is much easier, because I’m just pasting code instead of fiddling with screenshots – yay!

Fire up your favorite text editor and paste the following code:

Make the necessary modifications according to the comments in the file. Then, open the FRITZ!Box configuration interface in your browser and head to Internet -> Freigaben -> VPN, use the browse button to select the file you just created and click on VPN-Einstellungen importieren.

That’s it – you’re done. In my first trials I had to go back to the pfSense interface and navigate to Status -> IPsec to click on a small [>] (“play”) button to get things rolling. Maybe you need this, maybe it just works without it.

Getting the connection up after a restart of either of the two routers sometimes fails which is most probably due to the fact that DynDNS updates have not yet propagated when the VPN tries to connect. In this case, just be patient; both boxes will keep retrying to open VPN connections and you can always stop/start on both ends yourself. Once a connection is made, the tunnels are usually stable and rock-solid. Enjoy!

7 Comments

  • Dec 11th 201118:12
    by cat1510

    Not working for me.

    Box is 7390 and pfsense 2.0 Release
    Log in pfsense:

    Dec 11 17:07:42 racoon: INFO: unsupported PF_KEY message REGISTER
    Dec 11 17:07:42 racoon: DEBUG: got pfkey REGISTER message
    Dec 11 17:07:42 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 11 17:07:42 racoon: DEBUG: getsainfo params: loc=’172.10.0.0/24′ rmt=’10.0.5.0/24′ peer=’NULL’ client=’NULL’ id=1
    Dec 11 17:07:42 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Dec 11 17:07:42 racoon: DEBUG: hmac(modp768)
    Dec 11 17:07:42 racoon: DEBUG: reading config file /var/etc/racoon.conf
    Dec 11 17:07:42 racoon: DEBUG: pk_recv: retry[2] recv()
    Dec 11 17:07:42 racoon: DEBUG: pk_recv: retry[1] recv()
    Dec 11 17:07:42 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.10.0.0/24[0] 10.0.5.0/24[0] proto=any dir=out
    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a910: 172.10.0.0/24[0] 10.0.5.0/24[0] proto=any dir=out
    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.10.0.0/24[0] 10.0.5.0/24[0] proto=any dir=out
    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a790: 172.10.0.1/32[0] 172.10.0.0/24[0] proto=any dir=out
    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.10.0.0/24[0] 10.0.5.0/24[0] proto=any dir=out

    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.10.0.0/24[0] 10.0.5.0/24[0] proto=any dir=out
    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a490: 172.10.0.0/24[0] 172.10.0.1/32[0] proto=any dir=in
    Dec 11 17:07:42 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.10.0.0/24[0] 10.0.5.0/24[0] proto=any dir=out
    Dec 11 17:07:42 racoon: DEBUG: got pfkey X_SPDDUMP message

    in Fritzbox: Adresse im Internet: 255.255.255.255 ?

    For you it worked out of the Box?

  • Dec 11th 201122:12
    by Jan Schulz-Hofen

    cat1510: yep, works fine here. let us know once you’ve figured it out…

  • Jul 22nd 201214:07
    by Alexander

    Hi,

    great Work. Did get my FritzBox to work.
    Now the Question, while you always push forward. How do you configure the FritzBox to have 2 Tunnels (for 2 different Networks on the other site) going through the vpn.

    Did you manage to get this to work?

  • Feb 15th 201317:02
    by Holger

    Dear Jan,

    thank you for your great tutorial. Now I was able to configure my IPSec-Tunnel. Your tutorial was a very great help!!!

    Perhaps some hints, which I figured out:

    I got this error message:
    racoon: WARNING: trns_id mismatched: my:AES peer:3DES
    So, I unchecked the AES in the Phase 2 proposal (SA/Key Exchange)

    At VPN: IPsec: Edit Phase 2, Tunnels, Local Networks,
    I’m not using the interface as described in your example, but the network-definition with /24, because on my used internal interface (not LAN, but OPT) there some vlans defined. pfSense seems to recognize that not correctly at that point.

    The tunnel traffic doesn’t work until you creates a VPN-rule in the VPN-section at the firewall rules.

    Again! Thanks a lot!
    Holger

  • May 8th 201321:05
    by Yosh

    Thanks a lot. Just put up a pfsense instance at hetzner ontop an esxi together with a 7390 box (just fyi: running a freetz image). Your short config tutorial saved a lot of time.

    🙂

  • Nov 26th 201309:11
    by Carsten

    Hi,

    thanks for this tutorial. This worked like a charm until the update to FritzOS 6.0.

    I just wanted to let you – and others – know, that there might be a problem in using this with FritzOS 6.0:

    While the VPN is connected i cannot receive incoming calls. The phone is still ringing, but the callers voice is not transmitted, while they can hear me. The sip-call-log shows “0” rx-packets for incoming calls.

    I just opened a ticket with AVM-Support as I think, this is a bug in FritzOS 6.0.

    Thanks again for the tutorial.
    Carsten

  • Jan 29th 201514:01
    by Sascha

    Danke, Danke, Danke. Das ist sooooooooooooo geil.
    Endlich klappt es. Perfekte Beschreibung!
    Getestet mit Fritz 7390, OS 6.20 und pfSense mit 2.2

  • Leave a Reply