Orbi WiFi 7 RBE973
Reply

Netgear SRX5308 Site to Side VPN with Fritzbox 7490

chrbus
Aspirant

Netgear SRX5308 Site to Side VPN with Fritzbox 7490

Hello everybody.
I am new here and I am also interested in connecting our SRX5308 with a Fritzbox 7490.

 

However, oit is realy difficult to find information about how a configuration file of the netgear for a Fritzbox looks like.

Is there any sample config file, which i could fit to our busines network?

Hope the question is not wrong or stupid.

 

Some details:

NETGEAR ProSafe™ Gigabit Quad WAN SSL VPN Firewall SRX5308
Firmware Version:     4.3.4-1
 
AVM Fritzbox 7490

Firmware Version:     6.80

 

Best Regards and Thanks!

Chris

 
Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 3
externaluse
Aspirant

Re: Netgear SRX5308 Site to Side VPN with Fritzbox 7490

Hi Chris

This is a bit difficult to answer without a little more detail on your part. I assume that you are comfortable with IPs, VPN basics and the likes.

 

The problem with AVM (the Fritz Box) is how they name particular options - just google e.g. "phase2ss" and you get a multitude of options but with little description of what they use. This is what I got to work, using a remote site (Site B) with a Fritz Box 7490 (OS 6.80) behind a dynamic IP and an SRX5308 (4.3.4-2) with a static IP (Site A) as the other end.

 

For the Fritz Setup you will have to create a configuration file and import the configuration.

 

Here's my configuration file for Site B:

 


vpncfg {
        connections {
                enabled = yes;
                editable = yes;
                conn_type = conntype_lan;
                name = "YOURCONNECTIONNAME";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "THEHOSTNAMEOFSITEA";
                localid {
                        fqdn = "SITEBHOSTNAME_EG_DYNDNS";
                }
                remoteid {
                        fqdn = "SITEA_HOSTNAME";
                }
                mode = phase1_mode_aggressive; // never got mode main to work here
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "PRESHAREDKEY";
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.178.0; // YOUR SITE B IP NET
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.0.0.0; // YOUR SITE A IP NET
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // TONS OF SETTINGS POSSIBLE, but this is the only one without compression I could find and got bored trying other combinations
                accesslist = "permit ip any 10.0.0.0 255.255.255.0", "permit ip any 192.168.72.0 255.255.255.0"; // YOUR Accesslist on Site A. Here the main Network and a VLAN on the SRX
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500";
}

// EOF

 

Now to the SRX'es End of the business.

 

You'll need a VPN policy for each of the networks in the above access list, such as the VLANs. With the exception of the Traffic Selection all settings can stay the same.

 

My VPN policy for the Main network 10.0.0.0/24 looks like this:

Remote Endpoint: (Dyn)DNS name of the Fritzbox

Enable Netbios yes

No Keepalive

 

Traffic Selection:

Subnets obviously

Auto Policy Parameters:

SA Lifetime 3600

Encryption 3DES

Integrity SHA-1

PFS DH Group 2

 

IKE Policy

General:

Direction Both

Exchange Mode Aggressive

Local Gateway WANx

Identifier FQDN - must match SITEA_HOSTNAME above

Remote:

Identifier FQDN - must match SITEBHOSTNAME_EG_DYNDNS

 

IKE SA

Encryption 3DES

Authentication SHA-1

Pre-Shared Key - must match PRESHAREDKEY above

DH Group 2

SA Lifetime 3600

No Dead Peer Detection

 

That's it. Let me know how you get on. If it doesn't work, don't forget the logs on the SRX, a bit more about your level of knowledge, and your starting setup.

 

Good luck. The Fritz Box is not a professional VPN device, they must have included that as an afterthought...

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 2 of 3
chrbus
Aspirant

Re: Netgear SRX5308 Site to Side VPN with Fritzbox 7490

A few adjustments were necessary, but it worked.
Your guide was very helpful.

I am so happy!

 

I will now do a few tests and refine the configuration and post my results.

 

@externaluse

Thank you very much!!

Message 3 of 3
Discussion stats
  • 2 replies
  • 3478 views
  • 0 kudos
  • 2 in conversation
Announcements