IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box

Der Titel sagt eigentlich schon alles: Es geht um das Herstellen eines S2S-Tunnels zwischen einem Cisco Router (statische IPv4) und einer FRITZ!Box (dynamische IP). Ich liste nachfolgend alle Befehle für den IOS Router sowie die Konfigurationsdatei für die FRITZ!Box auf. Für eine etwas detaillierte Beschreibung des VPNs für die FRITZ!Box verweise ich auf diesen Artikel von mir, bei dem ich zwar ein VPN zu einem anderen Produkt hergestellt habe, aber etwas mehr auf die Schritte der Konfiguration eingegangen bin.

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

Labor

Getestet habe ich die Schose mit einer FRITZ!Box 7270 (FRITZ!OS 05.54) und einem Cisco Router 2621 (12.3(26)). Der Laboraufbau sah dabei folgendermaßen aus:

S2S VPN Cisco Router - FritzBox Laboratory

Cisco Router

Der Cisco Router wird mit nachfolgenden Befehlen konfiguriert. Man achte auf die “crypto dynamic-map dynmap01 …” auf welche in der “crypto map map01 …” referenziert wird. Dem outside Interface wird letztendlich die “crypto map map01” zugewiesen.

Außerdem scheint es mehrere funktionierende Lösungen für dieses VPN zur FRITZ!Box zu geben. Im Internet findet man Konfigurationen, die zum Beispiel beim “crypto isakmp key …” mit “address 0.0.0.0 0.0.0.0” anstatt des von mir vorgeschlagenen “hostname xyz” arbeiten. Auch verwende ich kein “isakmp profile”. Sprich: Meine Methode hier funktioniert, aber es gibt auch andere. ;)

 

FRITZ!Box

Die anzupassenden FRITZ!Box VPN-Einstellungen sehen so aus:

Läuft

Wie man in der FRITZ!Box schön am grünen Bubble erkennen kann:

FB VPN-Verbindungen

Beim Cisco Router gibt es die folgenden Befehle, um die Status der einzelnen Security Associations herauszufinden:

 

Viel Erfolg! :)

14 thoughts on “IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box

  1. Thank you for this valuable information. This is really good and hope to work perfect.
    Can you help me, how this configuration from Fritz! box will change if I have multiple subnets behind the cisco router.

    Or in other words
    phase2remoteid {
    ipnet {
    ipaddr = 192.168.141.0;
    mask = 255.255.255.0;
    }

    how can I add one more remote ip network 10.8.0.0/24 in the above configuration?

    1. Hi Shihab,
      oh, that’s a good question. I have not tested that yet. Probably this won’t work at all. I asked Google but found nothing.
      If your networks are contiguous you can increase the subnet mask, e.g., 10.0.0.0/16. Maybe that helps?
      I forwarded your question to AVM via Twitter. Maybe someone of them answers…

      1. Hi all,

        we had the same problem (and tried many different things), our solution was:

        The required networks have then to be set in the accesslist:

        In this config , the Fritzbox routes only the networks in the accesslist over the vpn connection, everything else will be handled normaly.

        1. Hi Patric,

          That configuration seems wonderful. Only thing odd is that, my asa has many more site to site tunnels terminated on it. So I will not be in a state to specify 0.0.0.0 0.0.0.0 on phase 2 for this fritz!.

          So in my case for example suppose fritz! is serving for 192.168.1.0 And I have
          say 172.30.0.0/24 and 10.0.0.0/24 behind the asa

          fritz! can have your configuration
          But ASA side, I will not be able to specify any any.
          So do you think the tunnel will ever form.
          My issue is that I dont have a test environment for this one. :-(

          1. Hi Shibab,

            the configuration of your phase1 and phase2 has to be the same on ASA and fritzbox.

            Why aren’t you able specify 0.0.0.0/0 on your ASA? Is there a network which should not be able to access the fritzbox network or the other way around?

            From the view of the ASA “0.0.0.0/0” is the local network, which means all traffic from the fritzbox network will be accepted and all traffic to the fritzbox network will be allowed. The vpn connection will not affect your other networks or connections.

            For your issue: make sure the localid-fqdn in your fritzbox config and the connection name in your ASA are the same. The localid-fqdn does not has to be a real fqdn – the ASA does not resolve it. We are using the names of our homeoffice employees (forename.surname) :-)

      2. This works fine if you add a static route on the Fritzbox for that network with next hop gateway ip LAN IP Cisco.
        Extend the access list in the FB config for that network:
        accesslist = “permit ip any 192.168.141.0 255.255.255.0”,
        accesslist = “permit ip any 10.0.0.0 255.255.0.0”;
        Be aware of comma and semicolon in the config file !
        Also check this url
        http://avm.de/service/vpn/praxis-tipps/ueber-vpn-verbindung-zwischen-zwei-fritzboxen-auf-mehrere-ip-netzwerke-hinter-einer-fritzbox-zugreifen/

  2. Patric,
    that is the problem. You are specifying any to any in the tunnel specific to fritz! vpn. Now what will happen to the internet traffic for users behind the ASA? What will happen to other vpn network traffic behind ASA. As per the configuration every traffic from behind ASA is an interesting traffic towards the fritz! tunnel, correct?

  3. Thanks Patric,

    I took a chance and that worked. Thanks a lot for the idea and thank you Weber for this blog.

  4. Hey, ich habe einige Zeit nach einer guten Anleitung für eine CISCO – Fritzbox VPN gesucht. Danke!

    Unter Umständen müssen noch NAT Regeln erstellt werden.

  5. Hi,

    Is’s look like a good article.

    I need one side permanent VPN connection from Fritz!box to company’s network so It is working only with the one subnetwork which i’m writing in required field. So will this work if I will write 0.0.0.0/0 in “IP network of the company’s VPN:” field and then add access list in Fritz configuration file?

      1. Hey Johannes. Thank you for you answer. Maybe you have any idea how to solve that problem. In the cisco router the IP routing is configured so for example the VPN configured in my iPhone is working correctly. But as I understood Fritz!Box accessing only to subnetwork which is written in “IP network of the company’s VPN:” field.

        1. Hey Nick. Of course, you can just test it. (Maybe only if you have physical access to the Fritzbox in case it is not working anymore…)

          If it’s not working and you still have to implement that scenario, you have to look for a more enterprise-like router. While the Fritzbox is a profound device, it’s still only a home router, not an enterprise router, unfortunately.

Leave a Reply to Sebastian Hohmann Cancel reply

Your email address will not be published. Required fields are marked *