Looking for VPN Help and Nethserver Expert

Dear Members,

Hope everyone is fine, I am looking for a Nethserevr Expert who can help me to set up a VPN connection between two networks.

The goal is that fritzbox from one side can directly communicate with Nethserver via IPSEC to establish a VPN connection.

Kind Regards,
Adnan


My only suggestion is: do the homework.
IPSec parameters are named sometimes differently from device to device, but once you find corrispondencies between both sides… it works.
Do not use try-and-error, sequence, at least, not for beginning.
Write down most of the options (remember than linux use @text notation for text into local and remote id, then try to mix and match mode, hash, proposal (please do not use less than AES), PFS/Diffie-Hellmann.

Did you ever managed to connect two networks via IPSec?

No, I didn’t managed two networks to connect via IPSes.

You can start from here…
https://en.avm.de/service/vpn/tips-tricks/connecting-the-fritzbox-with-a-companys-vpn/
and here
https://docs.nethserver.org/en/v7/vpn.html#ipsec

Maybe this can also be of help:

1 Like

What do you suggest if i need to access the Home Network devices from the comapny Network?

Quite hard answer without a… police grilling about current network structure/subnets, goals, and (therefore) steps to acquire the result.
Fundamentally, doing all the job except put configuration into devices and test.

So please, start to describe what is the current situation of the home and remote network (subnets, topology) and the goals…

1 Like

I don’t have a Fritzbox to test but it seems the documentation from AVM describes a roadwarrior scenario. You need a site-to-site VPN to have full access to any device from both sides.

I didn’t find any documentation about setting up site-to-site in the Fritzbox user interface. In this case I think you have to use a cfg file and import it to your Fritzbox (Add VPN button).

Check the link posted by @dnutan to get an example of a cfg file for the Fritzbox and a working /etc/ipsec.conf for Nethserver.

Here is another cfg example (in German).

There’s a “Configure FRITZ!Box VPN Connection” tool to create cfg files.

Then you need to set same values on both sides as @pike described here.

2 Likes

Dear,

Still, I have not succeeded with the Fritzbox and Nethserver VPN connection using IPsec.is there anything that I am missing.

my fritzbox network is 192.168.10.0
my nethserevr network are192.168.8.0 (LAN; Green), 192.168.88.0(WAN Red)

Local and remote identifier are missing?
Also: i do not suggest to use %any for the Remote IP (unless the remote endpoint has dynamic IP address)

added local and remote identifier, my remote endpoint has a dynamic IP address
but still, the tunnel status is red as you can see

Again: do the homework and double check everything. Also be sure that UDP ports 500 and 4500 (if behind a NAT) can be reached by both setups (Fritz AND NethServer).
Also: feel free to verify that the ISP allows IPSec traffic.
An example of today: this morning for create again an IPSec tunnel (my appliance after a firmware upgrade decided that the configuration was not good and resetted itself) i had at least two or tre adjustment for wrong settings… And took about 40 minutes.

Please post the cfg file or configuration you use in the Fritzbox

and the output of the Nethserver IPSEC configuration

db vpn show

so we can compare the settings of the two devices.

Don’t forget to mask public domain names and psks.

Hello,

I applied the follwing configuration on my fritz box as described by Fritz box link

The Nethsererv IPsec configuration is following.

The fritzbox link describes a scenario where the fritzbox connects as client to the Nethserver and that means you can’t reach the devices behind the fritzbox from the Nethserver side, see Looking for VPN Help and Nethserver Expert

Could you post a screenshot of the fritzbox settings so we can compare them?

Did you already try to disable PFS on the Nethserver?

Hello,

The configuration of my fritz box cfg file is following

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = “myvpm”;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = XXX.XXX.XXX.XXX;
remote_virtualip = 0.0.0.0;
localid {
fqdn = “xxxxxx.myfritz.net”;
}
remoteid {
ipaddr = XXX.XXX.XXX.XXX;
}
mode = phase1_mode_aggressive;
phase1ss = “all/all/all”;
keytype = connkeytype_pre_shared;
key = “RANDOM PRE SHARED KEY”;
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0; //LOCAL IPADRESS OF FRITZBOX LAN
mask = 255.255.255.0; //LOCAL SUBNETMASK OF FRITZBOX LAN
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.8.0; //LOCAL IPADRESS OF OPENSWAN LAN
mask = 255.255.255.0; //LOCAL SUBNETMASK OF OPENSWAN LAN
}
}
phase2ss = “esp-aes256-3des-sha/ah-all-sha/comp-lzs-no/pfs”;
accesslist = “permit ip any 192.168.8.0 255.255.255.0”;
}
ike_forward_rules = “udp 0.0.0.0:500 0.0.0.0:500”,
“udp 0.0.0.0:4500 0.0.0.0:4500”;
}

Nethservver /etc/ipsec.conf file

config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fe80::/10

conn Site-to-Site
authby=secret
auto=add
type=tunnel
aggrmode=yes
left= XXX.XXX.XXX.XXX
leftid= @XXXXXXXXXXXXXX
leftnexthop=%defaultroute
leftsourceip=192.168.8.12
leftsubnet=192.168.8.0/24
right=%any
rightsubnet=192.168.10.0/24
rightid= XXXXXXXX.myfritz.net
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048

include /etc/ipsec.d/*.conf

Comparing the settings I found some missing values.

In the fritzbox cfg file edit following values:

name = "FQDN of Nethserver";
remoteip = 0.0.0.0;

and add

remotehostname = "FQDN OF Nethserver";

You may try modp1024 bit (DH2) instead of modp2048 on the Neth side.

Please check (and maybe post) fritzbox and Nethserver VPN logs when trying to connect.

journalctl -u ipsec.service

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-ipsec-tunnels.html#logs

1 Like