Fabian Beier-Trampusch Blog

» Knowledge through passion. «

Configuring strongSwan under CentOS for use with FRITZ!Box 7490 IPSec VPN via PSK

Hi there! This post will explain what I had to do to get strongSwan establishing a VPN connection to my FRITZ!Box.

I have the following setup:

I wanted the server “trampusch.info” to tunnel in my local network, so that it is reachable under a local IPv4 address, e.g. I have some use cases that only work with targets in my local network, e.g. file transfer via SMB.

After some research I decided to use strongSwan as the client software.

Enabling incoming VPN connections in the FRITZ!Box

To allow incoming VPN connections you have to add a new user. I had to go to System -> FRITZ!Box Users -> add user. Select a username and a password. I did uncheck every setting, except for VPN connections of course. After saving you will see a dialog, containing the VPN connection credentials.

Configure the server to connect with strongSwan

This is the config I use. Although it did not work at first, the config itself is correct.

# /etc/strongswan/ipsec.conf, /usr/local/etc/ipsec.secrets (the latter one is in my case correct)
# the explanation of this parameters can be found at:
# https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

config setup
        #charondebug="ike 4, knl 4, cfg 4, mgr 4, chd 4, dmn 4, esp 4, lib 4, tnc 4"

conn %default
        # unfortunately the FRITZ!Box does not seem to support stronger encryption
        # the FRITZ!Box support ikev1 only.

conn wb
        # the user identity

However, at first it did not work:

The problem regarding the INVALID_INFORMATION was pointed out on ServerFault. You get this error if you configure the subnets incorrectly. With as leftsubnet you would be able to connect. leftsubnet= would have the consequence, that all traffic of my server would be routed through my home router - that I want to avoid this is obvious ;-). The core of the problem is that the CentOS RPM package of strongSwan does not contain the unity-plugin, which allows to narrow down the target traffic selectors. To check if you have installed the unity plugin, you can search for libstrongswan-unity.so on your machine. If it does not exist, you probably do not have the plugin.

I did not have the unity plugin and therefore had to recompile strongSwan. You should uninstall strongSwan prior compiling it. To compile it with unity, you can do something like:

Compiling strongSwan with the unity plugin enabled

wget https://download.strongswan.org/strongswan.tar.gz
tar -xzvf strongswan.tar.gz
cd strongswan-5.3.5
./configure --enable-unity
sudo make install

After that, place the configs mentioned above in the correct directory (in my case /usr/local/etc), and you are ready to go:

ipsec rereadall
ipsec reload
ipsec up <connection name here, in my case wb>

Questions? Suggestions? Comments? I would love to hear from you!