Hi there! This post will explain what I had to do to get strongSwan establishing a VPN connection to my FRITZ!Box.
I have the following setup:
I wanted the server “trampusch.info” to tunnel in my local network, so that it is reachable under a local IPv4 address, e.g. 192.168.178.202. I have some use cases that only work with targets in my local network, e.g. file transfer via SMB.
After some research I decided to use strongSwan as the client software.
Enabling incoming VPN connections in the FRITZ!Box
To allow incoming VPN connections you have to add a new user. I had to go to System -> FRITZ!Box Users -> add user. Select a username and a password. I did uncheck every setting, except for VPN connections of course. After saving you will see a dialog, containing the VPN connection credentials.
Configure the server to connect with strongSwan
This is the config I use. Although it did not work at first, the config itself is correct.
# /etc/strongswan/ipsec.conf, /usr/local/etc/ipsec.secrets (the latter one is in my case correct) # the explanation of this parameters can be found at: # https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection config setup uniqueids=no #charondebug="ike 4, knl 4, cfg 4, mgr 4, chd 4, dmn 4, esp 4, lib 4, tnc 4" conn %default # unfortunately the FRITZ!Box does not seem to support stronger encryption ike=aes256-sha-modp1024! esp=aes256-sha1 ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 # the FRITZ!Box support ikev1 only. keyexchange=ikev1 conn wb auto=add # the user identity xauth_identity=USER_NAME_HERE left=18.104.22.168 leftid=keyid:USER_NAME_HERE leftsourceip=%config4 leftauth=psk leftauth2=xauth right=nanga.no-ip.biz rightid=%any rightsubnet=192.168.178.0/24 rightauth=psk
However, at first it did not work:
The problem regarding the INVALID_INFORMATION was pointed out on ServerFault.
You get this error if you configure the subnets incorrectly.
leftsubnet you would be able to connect.
leftsubnet=0.0.0.0/0 would have the consequence, that all traffic of my server would be routed through my home router - that I want to avoid this is obvious ;-).
The core of the problem is that the CentOS RPM package of strongSwan does not contain the unity-plugin, which allows to narrow down the target traffic selectors.
To check if you have installed the unity plugin, you can search for
libstrongswan-unity.so on your machine.
If it does not exist, you probably do not have the plugin.
I did not have the unity plugin and therefore had to recompile strongSwan. You should uninstall strongSwan prior compiling it. To compile it with unity, you can do something like:
Compiling strongSwan with the unity plugin enabled
wget https://download.strongswan.org/strongswan.tar.gz tar -xzvf strongswan.tar.gz cd strongswan-5.3.5 ./configure --enable-unity make sudo make install
After that, place the configs mentioned above in the correct directory (in my case
/usr/local/etc), and you are ready to go:
ipsec rereadall ipsec reload ipsec up <connection name here, in my case wb>
Questions? Suggestions? Comments? I would love to hear from you!