I’ve struggled quite a bit to get these two devices together, mostly because the parameters on the FRITZ!Box are not documented, so it was hard to make them match with the Cisco device. But eventually I’ve managed to, so I’m happy to share the parameters.
Here we go.
First of all, here we assume that you are using dynamic IP addresses, in which case you need to use a dynamic DNS service to get it done (eg. DynDNS, No-IP, or your own solution).
Let’s say that the location using the FRITZ!box is using fritz.dyndns.example and the local subnet is 192.168.0.0/24, and the Cisco router is using cisco.dyndns.example and the local subnet is 192.168.99.0/24.
What to do on the FRITZ!box?
Create a file with this:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "fritz.dyndns.org"; // Local FQDN
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "cisco.dyndns.org"; // Remote FQDN
localid {
fqdn = "fritz.dyndns.org"; // Local FQDN
}
remoteid {
fqdn = "cisco.dyndns.org"; // Remote FQDN
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "your_shared_key"; // Your VPN password
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.0.0; // Local subnet
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.99.0; // Remote subnet
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.99.0 255.255.255.0"; // Remote subnet
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Replace all the lines with a comment at the end with what suits your situation. Once ready, open the control panel of your FRITZ!Box, go to Internet > Permit Access > VPN, and upload the file you’ve just created, then go to Import VPN Settings.
What to do on the Cisco EPC3925?
Go to Security > VPN, and create a new Tunnel with whatever name you like.
- Local Secure Group: put your local subnet (
192.168.99.0) - Remote Secure Group: put your remote subnet (
192.168.0.0) - Remove Secure Gateway: the remote FQDN (
fritz.dyndns.example) - Key Management:
- Key Exchange Method: Auto (IKE)
- Encryption: DES
- Authentication: SHA1
- PFS: Enable
- Pre-Shared Key: your VPN password (
your_shared_key) - Key Lifetime: 3600
Now click Save Settings, then go on Advanced Settings and set this:
- Phase 1:
- Operation Mode: Aggressive
- Local Identity: the local host Name (
cisco.dyndns.example) - Remote Identity: the remote host Name (
fritz.dyndns.example) - Encryption: 3DES
- Authentication: MD5
- Group: 1024-bit
- Key Lifetime: 28800
- Phase 2:
- Group: 1024-bit
Save the settings, cross your fingers and your toes and click on Connect.
Leave a Reply