Establishing a Site2Site VPN-Connection between AVM FritzBox (7490 or 7580) and pfSense (Azure VPN Gateway not working well)

What at least solved my problem

I tried various VPN Gateways as virtual machines from other vendors.

The best (because of logging and “debugging” functions) free version was pfSense from Netgate

Using the following guide gave me the idea, that it could function:

https://znil.net/index.php?title=FritzBox_-_Site_to_Site_VPN_zu_pfSense_2.2

Change the Remote Gateway in pfSense to your dynamic Fritzbox IP.

At least I had to figure out, why “no proposal choosen” as error message occured.

It was because the DH-Group was choosen wrong on the pfsens (only 768 Bit-the FritzBox had 1024).

FritzBox

pfSense

ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

ESP:AES_CBC_256/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ

ESP:AES_CBC_192/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

ESP:AES_CBC_192/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ

ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

ESP:AES_CBC_128/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ

ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

  

ESP:DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

  

ESP:AES_CBC_256/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

  

ESP:AES_CBC_192/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

  

ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

  

ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

  

ESP:DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

  


 

After changing the pfSense to 1024, the VPN Tunnel was established in seconds.

Refresh automatically the dyndns IP address of the fritz box in Azure

https://azure.microsoft.com/de-de/blog/azure-automation-authenticating-to-azure-using-azure-active-directory/

 

Open Issues

There is still an “dead peer detection” what I didn’t figured out. Maybe it is not solvable because of the limited configuration options in the fritzbox.

I can live with the matter of fact that the S2S VPN gets down and reconnected every ~90 minutes.

Links

 https://blog.webernetz.net/2015/03/11/fritzos-ab-06-23-ipsec-p2-proposals-erweitert/

http://www.netinvent.com.au/node/49

http://faq.fuchs-kiel.de/content/25/366/de/avm_fritzos-ike-parameter-fritzos-604.html

https://blog.webernetz.net/2013/12/02/ipsec-site-to-site-vpn-juniper-screenos-avm-fritzbox/

https://bskies.io/vpn-verbindung-zu-azure-mit-fritzbox-und-dynamischer-ip-update-gatewayip-ps1

 
 

DynDNS automatisch ändern…

https://azure.microsoft.com/de-de/blog/azure-automation-authenticating-to-azure-using-azure-active-directory/

https://bskies.io/vpn-verbindung-zu-azure-mit-fritzbox-und-dynamischer-ip-update-gatewayip-ps1

Leave a Reply

Your email address will not be published. Required fields are marked *

seven + twelve =