HowTo: VPN between FritzBox and Sophos UTM (was: Astaro UTM) with DynDNS

After searching ans trying quite a lot, I finally managed to connect my Sophos UTM 9 (which is very nice and free for hime users!) to my FritzBox. Especially the fact that I don’t have a fixed IP address at home makes this a bit tricky.


The UTM is running as a virtual machine on my root server. It has got one public IP (RED, which is bridged (bridge0) to the network card of the host, and one private IP (GREEN) on a secondary bridge (bridge1) in my Xen environment.



Configuration FritzBox:

My first try was simply using the Add new VPN connections form in the FritzBox. This won’t work, because as soon as you need to rely on a dynamic hostname (as opposed to a fixed IP) the FritzBox forces aggressive mode for IKE, which will fail with the following message:

unsupported exchange type ISAKMP_XCHG_AGGR in message

So I had to create a config file manually, actually I adapted it from a few occurrences in the web:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "Astaro";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip =;
local_virtualip =;
remoteip =;
remote_virtualip =;
localid {
	fqdn = my.dyndnsname;
remoteid {
	ipaddr =;
mode = phase1_mode_idp;
phase1ss = "alt/all/all";
keytype = connkeytype_pre_shared;
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr =;
mask =;
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
//phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
accesslist = "permit ip any";
ike_forward_rules = "udp", 
// EOF

UTM settings

First, create a policy in UTM:


Now create a gateway which points to the FritzBox:


Make sure that the VPN ID type is set to FQDN and that it matches your dynamic hostname. (usually the same as the gateway). Create a remote network, in this case, I called it Fidicinstrasse (this is where the Fritzbox lives).

Finally, create a connection:


That’s all, wait a few seconds and the connection should come up automatically.





