{"id":1349,"date":"2021-06-05T23:40:14","date_gmt":"2021-06-05T21:40:14","guid":{"rendered":"https:\/\/www.boettrich.info\/blog\/?p=1349"},"modified":"2021-06-09T14:00:32","modified_gmt":"2021-06-09T12:00:32","slug":"fritzbox-7490-mit-7-27-ipsec-vpn-zu-pfsense","status":"publish","type":"post","link":"https:\/\/www.boettrich.info\/blog\/beitrag\/fritzbox-7490-mit-7-27-ipsec-vpn-zu-pfsense\/","title":{"rendered":"Fritz!Box 7490 7.27 IPsec VPN to PFsense"},"content":{"rendered":"\n

Settung up VPN connections with a Fritz!Box is not complicated. Though this took me a while to figure out which proposals and hashing algorithms work in a IKEv1 IPsec between a FritzBox 7490 with FritzOS 7.27 and a PFsense 2.5…. And still these connections are far from beeing stable….
Unfortunatelly a proper and secure setup with modern settings is not documented well by AVM – the vendor of the Fritz!Box equipment. One can find a list of proposals on the internet – but these two documents seem to be outdated.<\/p>\n\n\n\n

I read somewhere that modern Hashing-Algorithms are supported – like DH 14 and DH 15 – but they do not work for me yet …<\/p>\n\n\n\n

Update 2021\/06\/06:<\/strong> I changed the key lifetime in Phase 1 to 3600 because with 28800 the tunnel broke after 102 minutes :-\/ Hours later i recognized that also with 3600s lifetime the tunnel was torn down after 102 minutes … <\/p>\n\n\n\n

Update 2021\/06\/07:<\/strong> So it turned out, after a couple more research on the net, things should not have been that „difficult“… The pfsense in version 2.5 had serious issues regarding ipsec – i wanted to stay with this version to have wireguard tunnels. But right now IPsec is more important to me so i cleared the wireguard config and updated to 2.5.1 and testing starts over. If this proves to be stable,<\/s> The tunnels are stable again and running for about 36 hours – several renegoations survived. Maybe i can now re-evaluate a more secure setup with DH groups 14 or 15 … <\/p>\n\n\n\n

Right now the following setup works quite good – not with the best parameters in terms of security ( only DH Group 2):<\/p>\n\n\n\n

Update 2021\/06\/08:<\/strong> Finally after patching pfsense i found my sweet spot. AES-256 \/ SHA512 with DH 15 (3072) works stable and uses current algorithms. Parameters in pfsense screenshots reflect the old settings – just modify them to the DH 15 settings in phase 2 (PFS key group).<\/p>\n\n\n\n

PFsense settings<\/h2>\n\n\n\n

Phase 1 on PFsense:<\/strong><\/p>\n\n\n\n

Key exchange version: IKEv1
Remote Gateway: DynDns-Name of the FritzBox
Authentication method: Mutual PSK
Negotiation mode: Aggressive
My identifier: DynDns-Name of the PFsense
Peer identifier: DynDns-Name of the Fritzbox
Encryption Algorithms: AES 256 bits Hash SHA512 DH Group 2
LifeTime: 28800 <\/s> 3600<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Phase 2 on PFsense:<\/strong><\/p>\n\n\n\n

Protocol: ESP
Encryption Algorithms: AES 256 bits
Hash Algorithms: SHA512
PFS Key Group: 2
Lifetime: 3600<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

<\/p>\n\n\n\n

Fritz!Box vpn.cfg – DH2 – LT3600<\/h2>\n\n\n\n
vpncfg {\n    \/\/--------------------------------------------\n    \/\/ \n    \/\/ FB 7490 FritzOS 7.27\n    \/\/ Pfsense:\n    \/\/ IKEv1 Aggressive Mode\n    \/\/ Phase 1 AES 256 bit SHA512 DH 2 LT3600\n    \/\/ Phase 2 AES 256 bit SHA512 DH 2 LT3600\n    \/\/ DPD on\n    \/\/ \n    \/\/--------------------------------------------\t\n   connections { \t\t\n\tenabled = yes;\n\teditable = yes;\n\tconn_type = conntype_lan; \t\t\n\tname = \"Name_of_the_VPN\"; \t\t\/\/ Change to your name\t\n\tboxuser_id = 0;\t\t\t\t\t\t\t\n\talways_renew = yes;\n\treject_not_encrypted = no;\n\tdont_filter_netbios = yes; \t\t\n\tlocalip = 0.0.0.0; \t\t\n\tlocal_virtualip = 0.0.0.0; \t\t\n\tremoteip = 0.0.0.0;  \/\/ Public IP of your PFsense \t\t\n\tremote_virtualip = 0.0.0.0; \t\t\n\tremotehostname = \"somename.ddnss.de\"; \/\/Hostname of your PFsense \t\t\n\tkeepalive_ip = 192.168.1.1; \t\t\n\tlocalid { \t\t\t\n\t\tfqdn = \"fritzbox.ddnss.de\";  \/\/Hostname of your FritzBox\t\t\n\t\t} \n\tremoteid {\n\t\tfqdn = \"somename.ddnss.de\";  \t\/\/Hostname of your PFsense \t\t\n\t\t} \t\n        mode = phase1_mode_aggressive;\t\n        \/\/ mode = phase1_mode_idp;\n\tphase1ss  = \"all\/all\/all\";\n\tkeytype = connkeytype_pre_shared; \t\n\tkey = \"SomeSuperRandomKey\";  \/\/ pre-shared-key - the longer the better \t\n\tcert_do_server_auth = no; \t\t\n\tuse_nat_t = yes; \t\t\n\tuse_xauth = no; \t\t\n\tuse_cfgmode = no; \t\t\n\tphase2localid \t{ \t\t\t\n\t     ipnet \t{ \t\t\t\t\n\t\tipaddr = 192.168.178.0;  \t\/\/ Local Subnet of your fritzbox\n\t\tmask = 255.255.255.0; \t\t\t\n\t\t\t} \t\t\n        \t\t} \t\t\n\tphase2remoteid { \t\t\t\n\t      ipnet \t{ \t\t\t\n\t\tipaddr = 192.168.1.0;  \t\/\/ Subnet of the remote fritzbox\t\t\t\n\t\tmask = 255.255.255.0; \t\t\t\n\t\t\t}\n\t\t\t} \n\tphase2ss = \"esp-aes256-3des-sha\/ah-no\/comp-lzs-no\/pfs\";\t\t\t\t\t\t\n\taccesslist = \"permit ip any 192.168.1.0 255.255.255.0\";  \/\/ Permit only these nets or hosts\n\t} \t\n\tike_forward_rules = \"udp 0.0.0.0:500 0.0.0.0:500\",\n\t\"udp 0.0.0.0:4500 0.0.0.0:4500\";\n}<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Further testings shall be proper DH Groups and maybe extended key lifetimes.<\/p>\n\n\n\n
Fritz!Box vpn.cfg – DH15 – LT 3600 \/ 28800<\/h2>\n\n\n\n
 I’m going to test this setting only on specifying the lifetime on pfsense … we’ll see lifetime will be stable <\/p>\n\n\n\n
vpncfg {\n    \/\/--------------------------------------------\n    \/\/ \n    \/\/ FB 7490 FritzOS 7.27\n    \/\/ Pfsense:\n    \/\/ IKEv1 Aggressive Mode\n    \/\/ Phase 1 AES 256 bit SHA512 DH 15 LT3600 - should also tolerate 28800\n    \/\/ Phase 2 AES 256 bit SHA512 DH 15 LT3600 \n    \/\/ DPD on\n    \/\/ \n    \/\/--------------------------------------------  \n   connections {        \n    enabled = yes;\n    editable = yes;\n    conn_type = conntype_lan;       \n    name = \"Name_of_the_VPN\";       \/\/ Change to your name  \n    boxuser_id = 0;                         \n    always_renew = yes;\n    reject_not_encrypted = no;\n    dont_filter_netbios = yes;      \n    localip = 0.0.0.0;      \n    local_virtualip = 0.0.0.0;      \n    remoteip = 0.0.0.0;  \/\/ Public IP of your PFsense       \n    remote_virtualip = 0.0.0.0;         \n    remotehostname = \"somename.ddnss.de\"; \/\/Hostname of your PFsense        \n    keepalive_ip = 192.168.1.1;         \n    localid {           \n        fqdn = \"fritzbox.ddnss.de\";  \/\/Hostname of your FritzBox        \n        } \n    remoteid {\n        fqdn = \"somename.ddnss.de\";     \/\/Hostname of your PFsense      \n        }   \n        mode = phase1_mode_aggressive;  \n        \/\/ mode = phase1_mode_idp;\n    phase1ss  = \"dh15\/aes\/sha\";\n    keytype = connkeytype_pre_shared;   \n    key = \"SomeSuperRandomKey\";  \/\/ pre-shared-key - the longer the better  \n    cert_do_server_auth = no;       \n    use_nat_t = yes;        \n    use_xauth = no;         \n    use_cfgmode = no;       \n    phase2localid   {           \n         ipnet  {               \n        ipaddr = 192.168.178.0;     \/\/ Local Subnet of your fritzbox\n        mask = 255.255.255.0;           \n            }       \n                }       \n    phase2remoteid {            \n          ipnet     {           \n        ipaddr = 192.168.1.0;   \/\/ Subnet of the remote fritzbox            \n        mask = 255.255.255.0;           \n            }\n            } \n    phase2ss = \"esp-aes256-3des-sha\/ah-no\/comp-lzs-no\/pfs\";                     \n    accesslist = \"permit ip any 192.168.1.0 255.255.255.0\";  \/\/ Permit only these nets or hosts\n    }   \n    ike_forward_rules = \"udp 0.0.0.0:500 0.0.0.0:500\",\n    \"udp 0.0.0.0:4500 0.0.0.0:4500\";\n}<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Bear in mind that having a good „key“ is crucial having a secure tunnel. The longer and more random the key is, the better. But sometimes devices and firmware do have trouble using a key that is too long or has too many special characters. In this setup i used a key 56 chars long consisting of characters and numbers. Another consideration is to setup the tunnel in main mode to have the initiating of the connection encrypted. <\/p>\n\n\n\n
To have traffic flow through the tunnel don’t forget to craft a firewall rule on the ipsec-interface to let desired traffic pass. <\/p>\n\n\n\n
Update 2021\/06\/09:<\/strong> AVM kindly answered my request where to find the supported cipher and hashing algorithms. Thanks again to Andy P.<\/p>\n\n\n\n
Generally Fritz!Boxes support IPsec with ESP with IKEv1 and pre-shared keys –  AH and PFS are not<\/strong> supported.<\/p>\n\n\n\n
For key exchange DH2 is initally used, later on all the DH groups mentioned below are supported. DH group for phase 2 is defined by phase 1.<\/p>\n\n\n\n
Config entries for phase 1:<\/strong><\/p>\n\n\n\n
dh5\/aes\/sha;
dh14\/aes\/sha;
dh15\/aes\/sha;
def\/all\/all;
alt\/all\/all;
all\/all\/all;
LT8h\/all\/all\/all;<\/p>\n\n\n\n
<\/p>\n\n\n\n
Config entries for phase 2:<\/strong><\/p>\n\n\n\n
esp-3des-sha\/ah-no\/comp-no\/pfs;
esp-3des-sha\/ah-no\/comp-no\/no-pfs;
esp-aes256-3des-sha\/ah-no\/comp-lzs-no\/pfs;
esp-aes-sha\/ah-all\/comp-lzjh-no\/pfs;
esp-all-all\/ah-all\/comp-all\/pfs;
esp-all-all\/ah-all\/comp-all\/no-pfs;
esp-all-all\/ah-none\/comp-all\/pfs;
esp-all-all\/ah-none\/comp-all\/no-pfs;
LT8h\/esp-all-all\/ah-none\/comp-all\/pfs;
LT8h\/esp-all-all\/ah-none\/comp-all\/no-pfs;
esp-null-sha\/ah-no\/comp-no\/no-pfs;<\/p>\n\n\n\n
 <\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Settung up VPN connections with a Fritz!Box is not complicated. Though this took me a while to figure out which proposals and hashing algorithms work in a IKEv1 IPsec between a FritzBox 7490 with FritzOS 7.27 and a PFsense 2.5…. And still these connections are far from beeing stable….Unfortunatelly a proper and secure setup with… Weiterlesen »Fritz!Box 7490 7.27 IPsec VPN to PFsense<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1,10],"tags":[],"class_list":["post-1349","post","type-post","status-publish","format-standard","hentry","category-beitrag","category-netzwerk"],"_links":{"self":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts\/1349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/comments?post=1349"}],"version-history":[{"count":48,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts\/1349\/revisions"}],"predecessor-version":[{"id":1429,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts\/1349\/revisions\/1429"}],"wp:attachment":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/media?parent=1349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/categories?post=1349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/tags?post=1349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}