okay i got it.
There were a few configuration problems. So now i´m running an ipsec tunnel between OpenSwan 2.0 and Fritzbox 3270.
Here are my configs:
Fritzbox-VPN.cfg
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "ANY-NAME";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = PUBLIC IP ADRESS OF OPENSWAN SERVER;
remote_virtualip = 0.0.0.0;
localid {
fqdn = "FQDN (in my case DYNS) OF FRITZBOX";
}
remoteid {
ipaddr = "FQDN (in my case DYNS) OF OPENSWAN SERVER (Nethserver)";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "RANDOM PRE SHARED KEY";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.179.0; //LOCAL IPADRESS OF FRITZBOX LAN
mask = 255.255.255.0; //LOCAL SUBNETMASK OF FRITZBOX LAN
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.177.0; //LOCAL IPADRESS OF OPENSWAN LAN
mask = 255.255.255.0; //LOCAL SUBNETMASK OF OPENSWAN LAN
}
}
phase2ss = "esp-aes256-3des-sha/ah-all-sha/comp-lzs-no/pfs";
accesslist = "permit ip any 192.168.177.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF
/etc/ipsec.conf
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.179.0./24,%v4:192.168.177.0./24
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=
conn Site-to-Site
authby=secret
auto=add
type=tunnel
aggrmode=yes
left=PUBLIC IP ADRESS OF OPENSWAN SERVER
leftid= FQDN OF OPENSWAN SERVER (IMPORTANT: put a @ in fron of. Example: @my.dyndns.com)
leftnexthop=%defaultroute
leftsourceip=LOCAL IP ADRESS AT OPENSWAN LAN
leftsubnet=192.168.177.0/24
right=%any
rightsubnet=192.168.179.0/24
rightid=FQDN OF FRITZBOX (IMPORTANT: put a @ in fron of. Example: @my.dyndns.com)
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1;modp1024
At least be sure that the /etc/ipsec.secrets is correct.
Also you have to check the /etc/sysctl.conf:
net.ipv4.ip_forward = 1