As Fritzbox is commonly used, I think that this is of interest to a lot of people and therefore I hope to move this topic forward together as much as possible. Thanks in advance for your help.
I have a test setup here with Fritzbox 7490 R7.12 and RUT240 R1.12.3. I have configured an IPsec VPN on RUT240 trying to connect to the Fritzbox where the IPSec VPN is already activated and successfully used via a smartphone. Params in RUT240 are IKE1, Aggressive, Tunnel mode, My identifier is the username for XAuth authentication needed by Fritzbox, left and right firewall buttons are checked.
Looking at RUT240's syslog, I see that already the first UDP packet doesn't go through. The IPV6 address of the remote end of the IPSec tunnel is correct.
Tue Sep 15 14:23:45 2020 daemon.info ipsec: 13[IKE] peer not responding, trying again (10/0)
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 13[IKE] initiating Aggressive Mode IKE_SA BueroKde[1] to 2003:eb:47ff:1ac2:eadf:70ff:fec3:b11c
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 13[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 13[NET] sending packet: from ::[500] to 2003:eb:47ff:1ac2:eadf:70ff:xxxx:xxxx[500] (395 bytes)
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 04[NET] error writing to socket: Permission denied
Tue Sep 15 14:23:50 2020 daemon.info ipsec: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
Tue Sep 15 14:23:50 2020 daemon.info ipsec: 14[NET] sending packet: from ::[500] to 2003:eb:47ff:1ac2:efdf:7aff:xxxx:xxxx[500] (395 bytes)
Tue Sep 15 14:23:50 2020 daemon.info ipsec: 04[NET] error writing to socket: Permission denied
Tue Sep 15 14:23:57 2020 daemon.info ipsec: 15[IKE] sending retransmit 2 of request message ID 0, seq 1
Why does the first packet not go through? What does "Permission denied" mean in this context?
What I don't understand is:
a) I didn't have to enter the password for the XAuth functionality. How does RUT240 get to know this password then? When I create the IPSec VPN on my Smartphone, I have to enter that password during inital setup on the smartphone and then it seems to resend the initially configured username/password any time the VPN is established again.
b) The WEBGui allows to enter IPSec Configuration and Pre-shared Keys in a different way than shown in the user manual. See here how RUT240 UI looks for me (enabled not checked to avoid constant retries):
How does RUT240 know that the Pre-shared Key at the bottom even belongs to BueroKde? In the manuals I've seen the Pre-shared Key is always entered as part of the other parameters of the IPSec VPN. WebUI does not allow this here?!
Thanks in advance for your help.