Netgear SRX5308 Site to Side VPN with Fritzbox 7490

Hi Chris

This is a bit difficult to answer without a little more detail on your part. I assume that you are comfortable with IPs, VPN basics and the likes.

The problem with AVM (the Fritz Box) is how they name particular options - just google e.g. "phase2ss" and you get a multitude of options but with little description of what they use. This is what I got to work, using a remote site (Site B) with a Fritz Box 7490 (OS 6.80) behind a dynamic IP and an SRX5308 (4.3.4-2) with a static IP (Site A) as the other end.

For the Fritz Setup you will have to create a configuration file and import the configuration.

Here's my configuration file for Site B:

vpncfg {
        connections {
                enabled = yes;
                editable = yes;
                conn_type = conntype_lan;
                name = "YOURCONNECTIONNAME";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "THEHOSTNAMEOFSITEA";
                localid {
                        fqdn = "SITEBHOSTNAME_EG_DYNDNS";
                }
                remoteid {
                        fqdn = "SITEA_HOSTNAME";
                }
                mode = phase1_mode_aggressive; // never got mode main to work here
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "PRESHAREDKEY";
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.178.0; // YOUR SITE B IP NET
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.0.0.0; // YOUR SITE A IP NET
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // TONS OF SETTINGS POSSIBLE, but this is the only one without compression I could find and got bored trying other combinations
                accesslist = "permit ip any 10.0.0.0 255.255.255.0", "permit ip any 192.168.72.0 255.255.255.0"; // YOUR Accesslist on Site A. Here the main Network and a VLAN on the SRX
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500";
}

// EOF

Now to the SRX'es End of the business.

You'll need a VPN policy for each of the networks in the above access list, such as the VLANs. With the exception of the Traffic Selection all settings can stay the same.

My VPN policy for the Main network 10.0.0.0/24 looks like this:

Remote Endpoint: (Dyn)DNS name of the Fritzbox

Enable Netbios yes

No Keepalive

Traffic Selection:

Subnets obviously

Auto Policy Parameters:

SA Lifetime 3600

Encryption 3DES

Integrity SHA-1

PFS DH Group 2

IKE Policy

General:

Direction Both

Exchange Mode Aggressive

Local Gateway WANx

Identifier FQDN - must match SITEA_HOSTNAME above

Remote:

Identifier FQDN - must match SITEBHOSTNAME_EG_DYNDNS

IKE SA

Encryption 3DES

Authentication SHA-1

Pre-Shared Key - must match PRESHAREDKEY above

DH Group 2

SA Lifetime 3600

No Dead Peer Detection

That's it. Let me know how you get on. If it doesn't work, don't forget the logs on the SRX, a bit more about your level of knowledge, and your starting setup.

Good luck. The Fritz Box is not a professional VPN device, they must have included that as an afterthought...