So after some research and testing i found this manual in german:
https://elcravo-networks.eu/security-tipps/details/ipsec-vpn-zwischen-openswan-und-einer-fritz-box-unter-centos-6/
So i had to configure the openswan Server manually.
This is what my ipsec.conf looks like:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.179.0./24,%v4:192.168.177.0./24
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=
conn Site-to-Site
authby=secret
auto=add
type=tunnel
aggrmode=yes
left= <mypublicip>
leftid= <myfqdn>
leftnexthop=%defaultroute
leftsourceip=192.168.177.21
leftsubnet=192.168.177.0/24
right=%any
rightsubnet=192.168.179.0/24
rightid= <the fqdn of the Fritzbox>
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
And this is what my Fritzbox config looks like:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "myhome";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = my public ip adress;
remote_virtualip = 0.0.0.0;
remotehostname = "my fqdn";
localid {
fqdn = "fqdn Fritzbox";
}
remoteid {
ipaddr = "my public ip adress";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "SecretKEY";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.179.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.177.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.177.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF
> // EOF
After restarting the openswan server the /var/log/ipsec.log shows this:
Sep 20 13:10:08 NET01 pluto[19646]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:19646
Sep 20 13:10:08 NET01 pluto[19646]: core dump dir: /var/run/pluto
Sep 20 13:10:08 NET01 pluto[19646]: secrets file: /etc/ipsec.secrets
Sep 20 13:10:08 NET01 pluto[19646]: leak-detective disabled
Sep 20 13:10:08 NET01 pluto[19646]: NSS crypto [enabled]
Sep 20 13:10:08 NET01 pluto[19646]: XAUTH PAM support [enabled]
Sep 20 13:10:08 NET01 pluto[19646]: NAT-Traversal support [enabled]
Sep 20 13:10:08 NET01 pluto[19646]: virtual-private entry not proper subnet: extra garbage on end of dotted-decimal address
Sep 20 13:10:08 NET01 pluto[19646]: virtual-private entry not proper subnet: extra garbage on end of dotted-decimal address
Sep 20 13:10:08 NET01 pluto[19646]: 2 bad entries in virtual-private - none loaded
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Sep 20 13:10:08 NET01 pluto[19646]: starting up 1 crypto helpers
Sep 20 13:10:08 NET01 pluto[19646]: started thread for crypto helper 0 (master fd 10)
Sep 20 13:10:08 NET01 pluto[19646]: Using Linux XFRM/NETKEY IPsec interface code on 2.6.32-642.4.2.el6.x86_64
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Sep 20 13:10:08 NET01 pluto[19646]: | selinux support is NOT enabled.
Sep 20 13:10:09 NET01 pluto[19646]: | certificate not loaded for this end
Sep 20 13:10:09 NET01 pluto[19646]: | certificate not loaded for this end
Sep 20 13:10:09 NET01 pluto[19646]: added connection description "Site-to-Site"
Sep 20 13:10:09 NET01 pluto[19646]: listening for IKE messages
Sep 20 13:10:09 NET01 pluto[19646]: adding interface tun0/tun0 10.1.1.1:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface tun0/tun0 10.1.1.1:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 192.168.177.5:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 192.168.177.5:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 130.255.120.228:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 130.255.120.228:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface eth0/eth0 192.168.177.6:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface eth0/eth0 192.168.177.6:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface lo/lo 127.0.0.1:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface lo/lo 127.0.0.1:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface lo/lo ::1:500
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface lo:500 fd 28
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface lo:4500 fd 27
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface lo:500 fd 26
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface eth0:4500 fd 25
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface eth0:500 fd 24
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:4500 fd 23
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:500 fd 22
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:4500 fd 21
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:500 fd 20
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface tun0:4500 fd 19
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface tun0:500 fd 18
Sep 20 13:10:09 NET01 pluto[19646]: loading secrets from "/etc/ipsec.secrets"
Sep 20 13:10:09 NET01 pluto[19646]: loaded private key for keyid: PPK_RSA:AwEAAbXa6
Sep 21 02:52:59 NET01 pluto[19646]: packet from 216.218.206.114:23152: initial Main Mode message received on 130.255.120.228:500 but no connection has been authorized with policy IKEV1_ALLOW
Sep 21 04:21:50 NET01 pluto[19646]: packet from 184.105.139.67:8470: initial Main Mode message received on 130.255.120.228:500 but no connection has been authorized with policy IKEV1_ALLOW
The Fritzbox is trying to connect the tunnel but there always comes up an timeout error: Error: IKE-Error 0x2027
Any ideas?