Adapting a VPN Connection from FRITZ!Box to AVM Access Server (Client LAN)Note: The adjustments in this example are intended only as a guide and make no claim to be complete. AVM Support does not offer assistance in adapting individual configuration files extending beyond the functionality of the Wizard ("Configure FRITZ!VPN Connection").
For the configuration of VPN connections, it is important to distinguish between LAN-LAN links and client-LAN links.
In LAN-LAN links, each side (network) can initiate an independent VPN connection to the remote site (for instance, between two branch offices).
In client-LAN links, only the client can establish a connection to the LAN (for instance, field staff to headquarters).
Description of a Configuration between FRITZ!Box and FRITZ!Box
We recommend printing out the following configuration and comparing it with the text descriptions below.
Example of the "fritzbox_‹name of the FRITZ!Box›.cfg" on the basis of a "FRITZ!Box to AVM Access Server" configuration
For a simple client-LAN link to the AVM Access Server, a "netways.eff" file can be imported directly in the "FRITZ!Box VPN Connection" software.
In this example a VPN connection is to established between a FRITZ!Box and the AVM Access Server. This is why, instead of the "netways.eff" of an AVM Access Server user, any "fritzbox_‹name oft the FRITZ!Box›.cfg" already generated in "FRITZ!Box VPN Connection" is adapted to the specific needs of the situation.
In this case the link in question is a client-LAN link, since AVM NetWAYS/ISDN generally establishes a connection to a company network and not vice versa. This is why only the identity of the local side (client) must be specified for IKE phase 1, in this case the user FQDN (AVM Access Server user name).
Rather than a "remotehostname" (DynDNS name), a "remoteip" is entered, since in this example the AVM Access Server has a fixed IP address in the Internet.
The "aggressive mode" is used for this connection. The security strategies for IKE phase 1 were defined in the AVM Access Server with "alt/aes/sha".
A list of the security strategies permitted for IKE phase 1 is available here.
The "pre-shared key" (password) for the user was defined in the AVM Access Server.
In addition, a radius server was configured behind the AVM Access Server for advanced authentication (XAUTH), requiring authentication by the user or the FRITZ!Box. Thus xauth has been enabled and the login data has been entered.
XAUTH can also be enabled for advanced authentication in the AVM Access Server.
Since the link in question is a client-LAN link, "cfgmode" is used. The effect of this is that AVM NetWAYS/ISDN or the FRITZ!Box obtains from the remote site a virtual IP address for the end of the tunnel. NAT is enabled automatically for the local network behind the tunnel. The AVM Access Server determines which IP address AVM NetWAYS/ISDN or the FRITZ!Box obtains. The IP address of the "client" can also be defined. In this case "cfgmode" would not be enabled and the assigned IP address would be found at "virtualip".
The access rules ("accesslist") are taken as the identity for IKE phase 2 or the IPSec phase.
The security strategies for IKE phase 2 or the IPSec phase are defined with "esp-aes-sha/ah-no/comp-lzjh/pfs".
A list of the security strategies permitted for IKE phase 2 or the IPSec phase is available here.
The access rules ("accesslist") are based on the specified IP networks or hosts that are allowed to be accessed. If the rules are adapted, they must be adapted identically on both sides (in the AVM Access Server, too), since these rules are used for authentication in IKE phase 2 or the IPSec phase.