Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 3638 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Solved] -IPSEC S2S With FritzBox

Regex

HI. Im trying to establish connection between SophsXG and FritzBox 7360 but im facing issues. 

did someone was able to make it work? Here are some details:

CONFIG ON FRITZ BOX:

vpncfg {
connections {
{
enabled = yes;
editable = yes;
conn_type = conntype_lan;
name = "212.xx.xx.xx";
boxuser_id = 0;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 212.xx.xx.xx;
remote_virtualip = 0.0.0.0;
keepalive_ip = 192.168.179.2;
localid {
fqdn = "This was some encoded thing";
}
remoteid {
ipaddr = 212.xx.xx.xx;
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "MY_PSK";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.179.1;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.179.1 255.255.255.0";
app_id = 0;
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";

Errors from log on Sophos:

Couldn't parse IKE header from XXX.XXX.XXX.XXX[55443]. Check the debug logs.

FritzBox_IPsecS2S - Remote gateway didn't respond to the initial message 0. Check if the remote gateway is reachable. (Remote: XX.XX.XX.XX)

FritzBox_IPsecS2S_Egid-1 - IKE message (AC004800) retransmission to XX.XX.XX.XX timed out. Check if the remote gateway is reachable. (Remote: XX.XX.XX.XX

Below what i have chosen on FritzBox - type of VPN:

SOPHOS SITE:



This thread was automatically locked due to age.
Parents
  • +1

    I have been working on it long long time to figure out "what the hack is going on with *hity fritz box device" so below are the settings that are working 100% to me.
    For instant:
    My goal was to connect my Sophos XG_EAP-v19(Poland) to FritzBox_7360_Firmware-7.68(Germany) 
    Poland-192.168.2.0/24
    Germany-192.168.178.0/24
    Both public ip but one have DDNS cuz public ip is changeble.
    So for FritzBox - login to your device then; INTERNET->Shares->VPN->Add a VPN connection;

    For SOPHOS SITE:

    First You must create Encryption Profile(IPsec Profile):

    NEXT IPsec settings for a connection:







    NEXT: FIREWALL RULES THAT IS ALLOWIG TRAFFIC, and last static routing, but it must be setup only on Sophos - Fritz done it automatically:

    Login to ssh goto device console and then add the route manually: system ipsec_route add net 192.168.12.0/255.255.255.0 tunnelname YourTunnelName

    Use Tab_key to help yourself or question mark ;)

    At the end i can tell that IPsec for fritzbox is very weak. Look what DH is used... but what can we do some times ;D 

    Those threats have been helpfull:

    https://community.sophos.com/sophos-xg-firewall/f/discussions/130973/site-to-site-ipsec-sophos-xg---fritzbox-7590

    ##Static Routing:
    https://community.sophos.com/sophos-xg-firewall/f/discussions/92867/ipsec-site-to-site-vpn-connects-but-no-traffic-passes

    and a few more, good luck ;)

    On producer site ive found information where only one was propper(DH group - 2) Other didnt work

    en.avm.de/.../

Reply
  • +1

    I have been working on it long long time to figure out "what the hack is going on with *hity fritz box device" so below are the settings that are working 100% to me.
    For instant:
    My goal was to connect my Sophos XG_EAP-v19(Poland) to FritzBox_7360_Firmware-7.68(Germany) 
    Poland-192.168.2.0/24
    Germany-192.168.178.0/24
    Both public ip but one have DDNS cuz public ip is changeble.
    So for FritzBox - login to your device then; INTERNET->Shares->VPN->Add a VPN connection;

    For SOPHOS SITE:

    First You must create Encryption Profile(IPsec Profile):

    NEXT IPsec settings for a connection:







    NEXT: FIREWALL RULES THAT IS ALLOWIG TRAFFIC, and last static routing, but it must be setup only on Sophos - Fritz done it automatically:

    Login to ssh goto device console and then add the route manually: system ipsec_route add net 192.168.12.0/255.255.255.0 tunnelname YourTunnelName

    Use Tab_key to help yourself or question mark ;)

    At the end i can tell that IPsec for fritzbox is very weak. Look what DH is used... but what can we do some times ;D 

    Those threats have been helpfull:

    https://community.sophos.com/sophos-xg-firewall/f/discussions/130973/site-to-site-ipsec-sophos-xg---fritzbox-7590

    ##Static Routing:
    https://community.sophos.com/sophos-xg-firewall/f/discussions/92867/ipsec-site-to-site-vpn-connects-but-no-traffic-passes

    and a few more, good luck ;)

    On producer site ive found information where only one was propper(DH group - 2) Other didnt work

    en.avm.de/.../

Children
No Data