Hi there! This post will explain what I had to do to get strongSwan establishing a VPN connection to my FRITZ!Box.
I have the following setup:
I wanted the server “trampusch.info” to tunnel in my local network, so that it is reachable under a local IPv4 address, e.g. 192.168.178.202. I have some use cases that only work with targets in my local network, e.g. file transfer via SMB.
After some research I decided to use strongSwan as the client software.
Enabling incoming VPN connections in the FRITZ!Box
To allow incoming VPN connections you have to add a new user. I had to go to System -> FRITZ!Box Users -> add user. Select a username and a password. I did uncheck every setting, except for VPN connections of course. After saving you will see a dialog, containing the VPN connection credentials.
Configure the server to connect with strongSwan
This is the config I use. Although it did not work at first, the config itself is correct.
# /etc/strongswan/ipsec.conf, /usr/local/etc/ipsec.secrets (the latter one is in my case correct) # the explanation of this parameters can be found at: # https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection config setup uniqueids=no #charondebug="ike 4, knl 4, cfg 4, mgr 4, chd 4, dmn 4, esp 4, lib 4, tnc 4" conn %default # unfortunately the FRITZ!Box does not seem to support stronger encryption ike=aes256-sha-modp1024! esp=aes256-sha1 ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 # the FRITZ!Box support ikev1 only. keyexchange=ikev1 conn wb auto=add # the user identity xauth_identity=USER_NAME_HERE left=220.127.116.11 leftid=keyid:USER_NAME_HERE leftsourceip=%config4 leftauth=psk leftauth2=xauth right=nanga.no-ip.biz rightid=%any rightsubnet=192.168.178.0/24 rightauth=psk
# /etc/ipsec.secrets, /usr/local/etc/ipsec.secrets - strongSwan IPsec secrets file %any : PSK "presharedkey from fritzbox dialog here" USER_NAME_HERE : XAUTH "USER_PASSWORD_HERE"
However, at first it did not work:
initiating Aggressive Mode IKE_SA wb to 18.104.22.168 generating AGGRESSIVE request 0 [ SA KE No ID V V V V ] sending packet: from 22.214.171.124 to 126.96.36.199 (341 bytes) received packet: from 188.8.131.52 to 184.108.40.206 (412 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V NAT-D NAT-D ] received XAuth vendor ID received DPD vendor ID received NAT-T (RFC 3947) vendor ID received draft-ietf-ipsec-nat-t-ike-03 vendor ID received unknown vendor ID: a2:22:6f:c3:64:50:0f:56:34:ff:77:db:3b:74:f4:1b generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ] sending packet: from 220.127.116.11 to 18.104.22.168 (108 bytes) received packet: from 22.214.171.124 to 126.96.36.199 (92 bytes) parsed INFORMATIONAL_V1 request 3080152599 [ HASH N(INITIAL_CONTACT) ] received packet: from 188.8.131.52 to 184.108.40.206 (92 bytes) parsed TRANSACTION request 3809505870 [ HASH CPRQ(X_TYPE X_USER X_PWD) ] generating TRANSACTION response 3809505870 [ HASH CPRP(X_USER X_PWD) ] sending packet: from 220.127.116.11 to 18.104.22.168 (108 bytes) received packet: from 22.214.171.124 to 126.96.36.199 (76 bytes) parsed TRANSACTION request 3809505870 [ HASH CPS(X_STATUS) ] XAuth authentication of ‘montblanc’ (myself) successful IKE_SA wb established between 188.8.131.52[montblanc]…184.108.40.206[220.127.116.11] scheduling reauthentication in 3410s maximum IKE_SA lifetime 3590s generating TRANSACTION response 3809505870 [ HASH CPA(X_STATUS) ] sending packet: from 18.104.22.168 to 22.214.171.124 (76 bytes) generating TRANSACTION request 835986006 [ HASH CPRQ(ADDR DNS) ] sending packet: from 126.96.36.199 to 188.8.131.52 (76 bytes) received packet: from 184.108.40.206 to 220.127.116.11 (76 bytes) parsed TRANSACTION response 835986006 [ HASH CPRP(ADDR DNS) ] installing DNS server 192.168.178.1 to /etc/strongswan/resolv.conf installing new virtual IP 192.168.178.202 generating QUICK_MODE request 2471505598 [ HASH SA No ID ID ] sending packet: from 18.104.22.168 to 22.214.171.124 (172 bytes) received packet: from 126.96.36.199 to 188.8.131.52 (76 bytes) parsed INFORMATIONAL_V1 request 1883469062 [ HASH N(INVAL_ID) ] received INVALID_ID_INFORMATION error notify establishing connection ‘wb’ failed
The problem regarding the INVALID_INFORMATION was pointed out on ServerFault.
You get this error if you configure the subnets incorrectly.
leftsubnet you would be able to connect.
leftsubnet=0.0.0.0/0 would have the consequence, that all traffic of my server would be routed through my home router - that I want to avoid this is obvious ;-).
The core of the problem is that the CentOS RPM package of strongSwan does not contain the unity-plugin, which allows to narrow down the target traffic selectors.
To check if you have installed the unity plugin, you can search for
libstrongswan-unity.so on your machine.
If it does not exist, you probably do not have the plugin.
I did not have the unity plugin and therefore had to recompile strongSwan. You should uninstall strongSwan prior compiling it. To compile it with unity, you can do something like:
Compiling strongSwan with the unity plugin enabled
wget https://download.strongswan.org/strongswan.tar.gz tar -xzvf strongswan.tar.gz cd strongswan-5.3.5 ./configure --enable-unity make sudo make install
After that, place the configs mentioned above in the correct directory (in my case
/usr/local/etc), and you are ready to go:
ipsec rereadall ipsec reload ipsec up <connection name here, in my case wb>
Questions? Suggestions? Comments? I would love to hear from you!