Ipsec client for AVM Fritzbox

thorstenweber83 · May 16, 2019, 7:06pm

I’m trying to connect my nixos laptop to a remote vpn hosted by a fritzbox running fritz os 7.
This means it’s IKEv1 with a short preshared key which can not be changed.
I tried using networkmanager (with the strongswan plugin), but the cli as well as the applet won’t let me configure a connection with a psk shorter than 20 characters.
Is there any way to configure an ipsec client on nixos that can work under these conditions?
I looked at strongswan/swanctl documentation and configuration examples but it’s really overwhelming me with my little knowledge about vpn stuff.
Any help is very much appreciated

Thank you!

basvandijk · May 17, 2019, 10:15pm

Hi Thorsten,

StrongSwan is overwhelming indeed. Trust me, I’ve been there. There are many knobs to turn.

I would suggest studying the strongswan-swanctl NixOS test and see how to adapt it to your situation.

In your case:

moon is your fritzbox.
carol is your nixos laptop.
alice is some device behind your fritzbox that you want to acces from your laptop.

What to adapt?

You should copy the configuration of carol.
I think you can remove the local_addrs setting.
Set remote_addrs to the public IP of your fritzbox.
Set local."main".id to your IKE identity (i.e. your username used for authentication).
Set remote."main".id and secrets.ike."moon".id."main" to something like "fritzbox". It doesn’t really matter what you set this to as long as the id in the remote section is the same as the id in the secret section so that they’re associated and strongswan knows which secret to send to the remote. You may also rename "moon" to something more appropriate like also "fritzbox".
Set remote_ts to the subnet of your VPN.
Either remove esp_proposals and proposals or set them to what is required by your fritzbox.
Set version from 2 to 1 for IKEv1.
Set secret to your PSK.

Check the documentation of swanctl.conf for descriptions on all these options.

Good luck!

thorstenweber83 · May 21, 2019, 7:52am

Thank you Bas, for your detailed answer! I didn’t even think of looking at the tests. Alas, i still haven’t solved my problem - i forgot to write that the fritz box does not only use a preshared key but also a password alongside the username.
The setup guide for android says to configure “xauth” authentication. I tried adapting the “ikev1-psk-xauth” “Initiator” example from Usable Examples configurations - strongSwan but I don’t understand how to correctly configure IDs and secrets. Also I never seem to get any helpful log output in the swanctl systemd unit.

As another approach I took a second look at network manager and noticed the strongswan plugin I was trying to use does not even support ikev1 so I started packaging the networkmanager-libreswan plugin.
It already compiles and shows up in my connection settings but does not start the libreswan service yet.