FritzBox, vpnc, Debian, working connection

All things … well, not all things, but some do become well over time. One of these is connecting a Debian Wheezy box easily, via vpnc and therefore the AVM’s native VPN stuff, to a FritzBox.

It took it’s time, but finally, and I assume resolving Debian Bug #629646 has a lot to do with it, it’s really as easy as saying “Kindergarten” to connect a (current) Debian box to a FritzBox’ VPN.

And indeed, with version 0.5.3r512-2 of vpnc (available in Debian Wheezy) I was able to connect to my FB in Berlin with a really simple setup (see details later on); the only thing still annoying is the FritzBox’ behaviour to return always the target system’s IP on a traceroute.

Before:

root@debian:~# traceroute ns.uu.net
traceroute to ns.uu.net (137.39.1.3), 30 hops max, 60 byte packets
 1  nslug-1.uu.org (192.168.5.245)  16.132 ms  16.000 ms  15.910 ms
 2  FB-VDSL-GTSO.uu.org (192.168.177.1)  15.830 ms  15.770 ms  15.698 ms
 3  87.186.224.81 (87.186.224.81)  34.046 ms  33.972 ms  33.900 ms
 4  87.190.172.202 (87.190.172.202)  33.847 ms  33.774 ms  33.722 ms
 5  217.239.37.106 (217.239.37.106)  128.593 ms  128.493 ms  128.421 ms
 6  194.25.211.18 (194.25.211.18)  128.326 ms  143.523 ms  143.411 ms
 7  0.xe-11-1-0.XL2.IAD5.ALTER.NET (152.63.43.102)  143.341 ms 0.xe-11-0-0.XL1.IAD5.ALTER.NET (152.63.43.105)  143.253 ms  147.532 ms
 8  GigabitEthernet6-1.GW3.IAD5.ALTER.NET (152.63.38.1)  147.475 ms GigabitEthernet7-0.GW3.IAD5.ALTER.NET (152.63.37.253)  127.918 ms GigabitEthernet6-1.GW3.IAD5.ALTER.NET (152.63.38.1)  141.464 ms
 9  pos5-0.soesr1.ash.ops.us.uu.net (207.18.173.162)  127.775 ms  141.332 ms  141.247 ms
10  gig1-0.esr-b-10-9-1.ash.ops.us.uu.net (198.5.240.35)  141.198 ms  122.707 ms  122.600 ms
11  ns.UU.NET (137.39.1.3)  126.903 ms  126.829 ms  136.261 ms

After:

root@debian:~# vpnc /etc/vpnc/default.conf 
VPNC started in background (pid: 13112)...
root@debian:~# traceroute ns.uu.net
traceroute to ns.uu.net (137.39.1.3), 30 hops max, 60 byte packets
 1  ns.UU.NET (137.39.1.3)  50.725 ms  51.678 ms  51.637 ms
 2  ns.UU.NET (137.39.1.3)  68.692 ms  68.570 ms  68.477 ms
 3  ns.UU.NET (137.39.1.3)  68.431 ms  68.249 ms  68.136 ms
 4  ns.UU.NET (137.39.1.3)  164.186 ms  159.378 ms  168.014 ms
 5  ns.UU.NET (137.39.1.3)  163.329 ms  167.487 ms  167.709 ms
 6  ns.UU.NET (137.39.1.3)  171.912 ms  182.836 ms  164.257 ms
 7  ns.UU.NET (137.39.1.3)  164.318 ms  164.384 ms  168.393 ms
 8  ns.UU.NET (137.39.1.3)  172.983 ms  172.704 ms  172.771 ms
 9  ns.UU.NET (137.39.1.3)  168.448 ms  164.495 ms  165.704 ms
10  ns.UU.NET (137.39.1.3)  165.347 ms  167.087 ms  166.876 ms

Environment: the FritzBox (could be any of 7270/7570/7360) in this example is running on 192.168.176.1/24 and has a dynamic DNS entry of fritzbox.dnydns.org; the file device-4-176.vpncfg was imported as an VPN configuration, it defines 192.168.176.203 as the VPN client’s IP.

device-4-176.vpncfg /etc/vpnc/default.conf
vpncfg { connections { enabled = yes; conn_type = conntype_user; name = "Device-No-4"; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 192.168.176.203; remoteid { key_id = "TheGroupSecretID"; } mode = phase1_mode_aggressive; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "TheGroupRealSecret"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = yes; use_cfgmode = no; xauth { valid = yes; username = "MyUsername"; passwd = "MyPassword"; } phase2localid { ipnet { ipaddr = 0.0.0.0; mask = 0.0.0.0; } } phase2remoteid { ipaddr = 192.168.176.203; } phase2ss = "esp-all-all/ah-none/comp-all/no-pfs"; accesslist = "permit ip 0.0.0.0 0.0.0.0 192.168.176.203 255.255.255.255"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; }
IPSec gateway fritzbox.dnydns.org IPSec ID TheGroupSecretID IPSec secret TheGroupRealSecret IKE Authmode psk Xauth username MyUsername Xauth password MyPassword NAT Traversal Mode natt

Occasionally the VPN connection is dropped if there is no data flowing across the VPN link; for my usecase, this currently is ok, but maybe I’ll need to look into disabling DPD, dead peer detection, later on.

Hope this post helps, I know I did search quite a lot for the solution; of partial help was a (German) post for the N900; most other stuff I found relies on Racoon or some funny Swans (Open-/FreeSWAN) or relates to connect to real Cisco gear …