subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
+1 vote
1,284 views 2 comments
by anonymous

Hi Folks, I have been playing with my RUT now for days to get it to work with the Fritzbox in Site-to-Site VPN. So here is the config that does work for me with

RUT950 Legacy Firmware 6.9.2 (legacy firmware!)

Fritz!Box 7590 Firmware 7.29

Both Firmwares are up to date as of right now, that is October 12th 2022.

for the Fritzbox you need a config file, Ill post a copy of my working file at the end. Also mind the hints at the very end.

for the RUT950 you need to do the following.

  • Create new IPSec tunnel. Go to "Services-VPN-IPSec" and enter a name in to the add field that you yourself can assosiate this specivic tunnel with and klick "add"
  • after reloading go further down to pre-shared-key and enter your secret for the connection and the ddns name of the fritzbox for ID selector and click save. (ignore the Teltonika bubble help that tells you IKEv1 can only handle IP and no FQDN as ID selector, it works with FQDNs  (including dDNS FQDN) just fine, awesome performance Teltonika and many thanks for that wasted day in my life)
  • In the IPSec Config section click on edit and on the next page do this from top to bottom:
  • activate "enabled"
  • IKE version is "V1"
  • Mode is "Aggressive"
  • Type is "tunnel"
  • local IP is the IP ragen your RUT DHCP is providing for example
  • on startup "start"
  • my identifier is your RUT ddns FQDN (in my case it is "")
  • activate "left firewall" "force encapsulation" and "dead peer dedetcion (with its stock settings of 30-150seconds)"
  • authentification typ is "preshared key"
  • xauth and combatibility boxes are unchecked
  • remote VPN enpoint is the dDNS FQDN of the FritzBox
  • remote identifier is empty
  • remote IP adress is the internal IP range of the FritzBox, in my case (watch out, its not the routers IP address, it does not end with .1! This is the network range, it usually ends with .0/24 where the /24 stands for, but there are expetions to this)
  • check right firewall
  • no passthrough
  • activate keepalive and set the ip of the fritzbox as the destination. ping at least once a hour or fritzbox drops the conection. I have 1800 (half an hour)
  • and if you like to access the RUT web UI form the Fritbox site, check that too.

So far so good, asside from the aggressive mode this was as stragiht forward as is possible in this combination.

now comes the important parts:

  • For Phase 1
    • AES256
    • SHA512
    • MODP2048
    • 6 hours
  • For Phase 2

And here comes the config file for the FritzBox. Here the important part is also to specify the same stuff as in Phase 1 and 2 in the RUT.

You could just create the cfg file by Fritz.Fernzugang app and then you have to change 2 lines: "phase1ss" and "phase2ss"

Or take this file and change the FQDNs and Networkranges. What ever seams easier to you. I hate that I have to install that AVM crap, it coud be a protable or web ui based thing, but no, not with AVM. Boy will I be happy when I have moved all my networking stuff to UNIFI hardware.

***is a coment, you need to delete everything behind the ";" Fritzbox cant handle ***coments

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "";   ***change to a name to you kow its the tunne, I use the dyndns name of RUT
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip =;
                local_virtualip =;
                remoteip =;
                remote_virtualip =;
                remotehostname = "";   ***change to IP or dyndns name of RUT
                localid {
                        fqdn = "";   ***change to IP or dyndns name of FritzBox
                remoteid {
                        fqdn = "";   ***change to IP or dyndns name of RUT
                mode = phase1_mode_aggressive;
                phase1ss = "dh14/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "PutYourVpnSecretHereAndMakeItLong_e.g.#This.Is.A.Good.Example.Of.A.Secret!";   ***change to your tunnel password
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr =;   ***change to local IP range of FritzBox, usually ends with .0
                                mask =;
                phase2remoteid {
                        ipnet {
                                ipaddr =;   ***change to local IP range of RUT, usually ends with .0
                                mask =;
                phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                accesslist = "permit ip any";
        ike_forward_rules = "udp",


Dont forget to last "}" in the config file.

I have a changing external IP on the RUT side, in itself no issue, but its behind a NAT with no way of having the FritBox initiate the tunnel throuhg that NAT as I cant have Ports open on this one, hence  I have keepalive active on the RUT side and inactive on the FritzBox side. Change as is nessesarry for your application! If you acitvate both sides keepalaive, you are likely to run into conection trouble, why ever, but 2 Fritten in site2site with both sides active keepalaive will drop the VPN every other minute or so. So I usually run the keepalaive for the tunnel from the more "unstable" or in this case the not reachable side. Since ddns updates take time to spread through the DNS grid, and the stable side has still the same ip, the tunnel will be back online as soon as the unstable side is online too, no need to wait for dDNS update to spread.

Have FUN

On a side note. Im for sure not the first who struggles with that and Im am very disapointed with Teltonika for the really crappy documentiation in their sofware and wiki etc. and also a bit about the unsuportive comunity here. Folks find solutions, but dont update their help requests in here.

Cheers Manne

by anonymous
Beep. my post above is the solution to this often asked question
by anonymous

And some more information.

If you get the famous IKE timeout error 0x2027 like m yself with RUT and Fritbox.

Right now I run my RUT on a wifi uplink to what ever internet via wifi I can get where that RUT is at that moment. And if thats not working we fall back to cellular network, but I try to avoid that.

I had that 0x2027 IKE error in the log and dropouts in a video feed I was watching from a survilance cam back at home that keped droping out once in a while. So I startet pinging with printed timestamps (windos powershell command

'ping.exe -t hostename|Foreach{"{0} - {1}" -f (Get-Date),$_}'

in the output in all directions to see how long a drop out would last and just found during a recent dropout this in the RUT log file

 Thu Oct 13 13:48:59 2022 daemon.notice wpa_supplicant[7703]: wlan0: WPA: Group rekeying completed with 5c:49:79:7e:1e:bf [GTK=CCMP]

and again with

Thu Oct 13 14:08:59 2022 daemon.notice wpa_supplicant[7424]: wlan0: WPA: Group rekeying completed with 5c:49:79:7e:1e:bf [GTK=CCMP]

It killed the uplink from my RUT to the wifi hotspot, for about 5 seconds, and hence the IPSec had a timout dropout but the IPSec did take considerably longer to reconnect again.

So how do I fix that, or make it so it wont happen every twenty minutes?

edit: there was a feedback form ZygimantasBliu to this issue, in the 7 firmware you can adjust the wpa rekeying intervall, in legacy 6 firmware, some cli ssh work is nessesary, and probably if you change a setting through the web UI the ssh cli changes are lost, I presume at least. I changed that, but still have dropping VPN conections. Ill keep on it. and report back. see here for the rekeying issue.


1 Answer

0 votes
by anonymous

Thank you for taking the time and effort to put these instructions and sharing them with the community. This is indeed very helpful and valuable information.

Hope you are having a good day.

Best regards,