HowTo: VPN between FritzBox and Sophos UTM (was: Astaro UTM) with DynDNS

After searching ans trying quite a lot, I finally managed to connect my Sophos UTM 9 (which is very nice and free for hime users!) to my FritzBox. Especially the fact that I don’t have a fixed IP address at home makes this a bit tricky.

Setup

The UTM is running as a virtual machine on my root server. It has got one public IP (RED, 1.2.3.4) which is bridged (bridge0) to the network card of the host, and one private IP (GREEN) on a secondary bridge (bridge1) in my Xen environment.

SchemaVPN

 

Configuration FritzBox:

My first try was simply using the Add new VPN connections form in the FritzBox. This won’t work, because as soon as you need to rely on a dynamic hostname (as opposed to a fixed IP) the FritzBox forces aggressive mode for IKE, which will fail with the following message:

unsupported exchange type ISAKMP_XCHG_AGGR in message

So I had to create a config file manually, actually I adapted it from a few occurrences in the web:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "Astaro";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 1.2.3.4;
remote_virtualip = 0.0.0.0;
localid {
	fqdn = my.dyndnsname;
}
remoteid {
	ipaddr = 1.2.3.4;
}
mode = phase1_mode_idp;
phase1ss = "alt/all/all";
keytype = connkeytype_pre_shared;
key = "HEREBEDRAGONS";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
//phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
accesslist = "permit ip any 192.168.2.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF

UTM settings

First, create a policy in UTM:

FritzboxVPN_Policy

Now create a gateway which points to the FritzBox:

FritzboxVPN_Gateway

Make sure that the VPN ID type is set to FQDN and that it matches your dynamic hostname. (usually the same as the gateway). Create a remote network, in this case 192.168.1.0/24, I called it Fidicinstrasse (this is where the Fritzbox lives).

Finally, create a connection:

FritzboxVPN_Connection

That’s all, wait a few seconds and the connection should come up automatically.