Hi Folks, I have been playing with my RUT now for days to get it to work with the Fritzbox in Site-to-Site VPN. So here is the config that does work for me with
RUT950 Legacy Firmware 6.9.2 (legacy firmware!)
Fritz!Box 7590 Firmware 7.29
Both Firmwares are up to date as of right now, that is October 12th 2022.
for the Fritzbox you need a config file, Ill post a copy of my working file at the end. Also mind the hints at the very end.
for the RUT950 you need to do the following.
- Create new IPSec tunnel. Go to "Services-VPN-IPSec" and enter a name in to the add field that you yourself can assosiate this specivic tunnel with and klick "add"
- after reloading go further down to pre-shared-key and enter your secret for the connection and the ddns name of the fritzbox for ID selector and click save. (ignore the Teltonika bubble help that tells you IKEv1 can only handle IP and no FQDN as ID selector, it works with FQDNs (including dDNS FQDN) just fine, awesome performance Teltonika and many thanks for that wasted day in my life)
- In the IPSec Config section click on edit and on the next page do this from top to bottom:
- activate "enabled"
- IKE version is "V1"
- Mode is "Aggressive"
- Type is "tunnel"
- local IP is the IP ragen your RUT DHCP is providing for example 192.168.1.0/24
- on startup "start"
- my identifier is your RUT ddns FQDN (in my case it is "rut950.my.domain")
- activate "left firewall" "force encapsulation" and "dead peer dedetcion (with its stock settings of 30-150seconds)"
- authentification typ is "preshared key"
- xauth and combatibility boxes are unchecked
- remote VPN enpoint is the dDNS FQDN of the FritzBox
- remote identifier is empty
- remote IP adress is the internal IP range of the FritzBox, in my case 10.101.111.0/24 (watch out, its not the routers IP address, it does not end with .1! This is the network range, it usually ends with .0/24 where the /24 stands for 255.255.255.0, but there are expetions to this)
- check right firewall
- no passthrough
- activate keepalive and set the ip of the fritzbox as the destination. ping at least once a hour or fritzbox drops the conection. I have 1800 (half an hour)
- and if you like to access the RUT web UI form the Fritbox site, check that too.
So far so good, asside from the aggressive mode this was as stragiht forward as is possible in this combination.
now comes the important parts:
- For Phase 1
- AES256
- SHA512
- MODP2048
- 6 hours
- For Phase 2
And here comes the config file for the FritzBox. Here the important part is also to specify the same stuff as in Phase 1 and 2 in the RUT.
You could just create the cfg file by Fritz.Fernzugang app and then you have to change 2 lines: "phase1ss" and "phase2ss"
Or take this file and change the FQDNs and Networkranges. What ever seams easier to you. I hate that I have to install that AVM crap, it coud be a protable or web ui based thing, but no, not with AVM. Boy will I be happy when I have moved all my networking stuff to UNIFI hardware.
***is a coment, you need to delete everything behind the ";" Fritzbox cant handle ***coments
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "rut950.my.domain"; ***change to a name to you kow its the tunne, I use the dyndns name of RUT
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "rut950.my.domain"; ***change to IP or dyndns name of RUT
localid {
fqdn = "fb.my.domain"; ***change to IP or dyndns name of FritzBox
}
remoteid {
fqdn = "rut950.my.domain"; ***change to IP or dyndns name of RUT
}
mode = phase1_mode_aggressive;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "PutYourVpnSecretHereAndMakeItLong_e.g.#This.Is.A.Good.Example.Of.A.Secret!"; ***change to your tunnel password
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.101.111.0; ***change to local IP range of FritzBox, usually ends with .0
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.1.0; ***change to local IP range of RUT, usually ends with .0
mask = 255.255.255.0;
}
}
phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
accesslist = "permit ip any 192.168.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Hints:
Dont forget to last "}" in the config file.
I have a changing external IP on the RUT side, in itself no issue, but its behind a NAT with no way of having the FritBox initiate the tunnel throuhg that NAT as I cant have Ports open on this one, hence I have keepalive active on the RUT side and inactive on the FritzBox side. Change as is nessesarry for your application! If you acitvate both sides keepalaive, you are likely to run into conection trouble, why ever, but 2 Fritten in site2site with both sides active keepalaive will drop the VPN every other minute or so. So I usually run the keepalaive for the tunnel from the more "unstable" or in this case the not reachable side. Since ddns updates take time to spread through the DNS grid, and the stable side has still the same ip, the tunnel will be back online as soon as the unstable side is online too, no need to wait for dDNS update to spread.
Have FUN
On a side note. Im for sure not the first who struggles with that and Im am very disapointed with Teltonika for the really crappy documentiation in their sofware and wiki etc. and also a bit about the unsuportive comunity here. Folks find solutions, but dont update their help requests in here.
Cheers Manne