NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

chrbus's avatar
chrbus
Aspirant
Jan 26, 2017

Netgear SRX5308 Site to Side VPN with Fritzbox 7490

Hello everybody.
I am new here and I am also interested in connecting our SRX5308 with a Fritzbox 7490.

 

However, oit is realy difficult to find information about how a configuration file of the netgear for a Fritzbox looks like.

Is there any sample config file, which i could fit to our busines network?

Hope the question is not wrong or stupid.

 

Some details:

NETGEAR ProSafe™ Gigabit Quad WAN SSL VPN Firewall SRX5308
Firmware Version:     4.3.4-1
 
AVM Fritzbox 7490

Firmware Version:     6.80

 

Best Regards and Thanks!

Chris

 

2 Replies

  • Hi Chris

    This is a bit difficult to answer without a little more detail on your part. I assume that you are comfortable with IPs, VPN basics and the likes.

     

    The problem with AVM (the Fritz Box) is how they name particular options - just google e.g. "phase2ss" and you get a multitude of options but with little description of what they use. This is what I got to work, using a remote site (Site B) with a Fritz Box 7490 (OS 6.80) behind a dynamic IP and an SRX5308 (4.3.4-2) with a static IP (Site A) as the other end.

     

    For the Fritz Setup you will have to create a configuration file and import the configuration.

     

    Here's my configuration file for Site B:

     


    vpncfg {
            connections {
                    enabled = yes;
                    editable = yes;
                    conn_type = conntype_lan;
                    name = "YOURCONNECTIONNAME";
                    always_renew = yes;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = 0.0.0.0;
                    remote_virtualip = 0.0.0.0;
                    remotehostname = "THEHOSTNAMEOFSITEA";
                    localid {
                            fqdn = "SITEBHOSTNAME_EG_DYNDNS";
                    }
                    remoteid {
                            fqdn = "SITEA_HOSTNAME";
                    }
                    mode = phase1_mode_aggressive; // never got mode main to work here
                    phase1ss = "all/all/all";
                    keytype = connkeytype_pre_shared;
                    key = "PRESHAREDKEY";
                    cert_do_server_auth = no;
                    use_nat_t = no;
                    use_xauth = no;
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = 192.168.178.0; // YOUR SITE B IP NET
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2remoteid {
                            ipnet {
                                    ipaddr = 10.0.0.0; // YOUR SITE A IP NET
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // TONS OF SETTINGS POSSIBLE, but this is the only one without compression I could find and got bored trying other combinations
                    accesslist = "permit ip any 10.0.0.0 255.255.255.0", "permit ip any 192.168.72.0 255.255.255.0"; // YOUR Accesslist on Site A. Here the main Network and a VLAN on the SRX
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

    // EOF

     

    Now to the SRX'es End of the business.

     

    You'll need a VPN policy for each of the networks in the above access list, such as the VLANs. With the exception of the Traffic Selection all settings can stay the same.

     

    My VPN policy for the Main network 10.0.0.0/24 looks like this:

    Remote Endpoint: (Dyn)DNS name of the Fritzbox

    Enable Netbios yes

    No Keepalive

     

    Traffic Selection:

    Subnets obviously

    Auto Policy Parameters:

    SA Lifetime 3600

    Encryption 3DES

    Integrity SHA-1

    PFS DH Group 2

     

    IKE Policy

    General:

    Direction Both

    Exchange Mode Aggressive

    Local Gateway WANx

    Identifier FQDN - must match SITEA_HOSTNAME above

    Remote:

    Identifier FQDN - must match SITEBHOSTNAME_EG_DYNDNS

     

    IKE SA

    Encryption 3DES

    Authentication SHA-1

    Pre-Shared Key - must match PRESHAREDKEY above

    DH Group 2

    SA Lifetime 3600

    No Dead Peer Detection

     

    That's it. Let me know how you get on. If it doesn't work, don't forget the logs on the SRX, a bit more about your level of knowledge, and your starting setup.

     

    Good luck. The Fritz Box is not a professional VPN device, they must have included that as an afterthought...

    • chrbus's avatar
      chrbus
      Aspirant

      A few adjustments were necessary, but it worked.
      Your guide was very helpful.

      I am so happy!

       

      I will now do a few tests and refine the configuration and post my results.

       

      externaluse

      Thank you very much!!

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More