Description:

This document uses an example to describe how to set up a VPN connection between a LANCOM router and a FRITZ!Box to set up a bridge between the two local networks.

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.


Requirements:


Scenario:

  • The LANCOM router has the public IP address 82.82.82.82 and the local network address range 192.168.7.0/24.
  • The FRITZ!Box at the remote site has the public IP address 81.81.81.81. The local area network has the address range 192.168.192.0/24.
  • The two local networks are to be bridged over an IKEv1 VPN connection in main mode. It should be possible to reach all of the devices in the two local networks.

Detailed image showing a LANCOM router setup with a public IP address, VPN connection, and configuration options for internet and LAN connectivity.


Procedure:

1) Configuring the VPN connection on the LANCOM router:

1.1) Open the configuration for the LANCOM router in LANconfig and switch to the menu item VPN → General.

1.2) Enable the function Virtual Private Network.

Screenshot of a configuration interface from OORovictFinder, displaying settings for network gateways, security certificates, and communication protocols.

1.3) Switch to the menu VPN → IKE/IPSec → IKE proposals.

Image showing a complex VPN configuration interface detailing settings for IKE VPN connections, network rules, and proposals for SA negotiation, including IP routing, firewall settings, and authentication methods.

1.4) Create a new IKE proposal with the following values:

  • Identification: Enter a unique name for the new proposal.
  • Encryption: Select AES-CBC.
  • Key length: The value 256 bit must be entered here.
  • Hash: The hash algorithm is set to SHA1.
  • Authentication: Set preshared key here.
  • Lifetime: Enter a lifetime of 3600 seconds and 0 kBytes.

Screenshot of a technical configuration interface displaying various encryption and authentication settings options for IKE proposals, featuring multiple encryption types, key lengths, hash functions, and preset lifetimes.

1.5) Switch to the menu VPN → IKE/IPSec → IKE proposal lists.

Screenshot of a configuration menu for IKEvVPN connections, detailing network rules, VPN general settings, connection parameters, logging, IKE proposals, and security protocols in a tabulated interface.

1.6) Create a new IKE proposal list with the following values:

  • Identification: Enter a unique name for the new list.
  • Proposal: Select the IKE proposal created in step 1.4.

Image of a computer screen displaying a technical user interface with multiple entries, including a highlighted proposal labeled FBHTAESZSGSH.

1.7) Switch to the menu VPN → IKE/IPSec → IPSec proposals.

Image depicting a user interface for configuring VPN connections, including settings for IKE VPN, IPSec proposals, authentication methods, and network management rules.

1.8) Create a new IPSec proposal with the following values:

  • Identification: Enter a unique name for the new proposal.
  • Mode: Select Tunnel.
  • Encryption: Select AES-CBC.
  • Key length: The value 256 bit must be entered here.
  • Authentication: Set HMAC-SHA1 here.
  • Authentication (AH-proposal): Set No AH here.
  • Compression: Set this to No IPCOMP.
  • Lifetime: Enter a lifetime of 7.200 seconds and 2,000,000 kBytes.

The "Transport" Mode was removed in LCOS 10.40 , meaning that as of this version the Mode "Tunnel" is always used.

An image depicting a configuration menu for network security protocols, featuring settings for encryption, authentication, and data compression.

1.9) Switch to the menu VPN → IKE/IPSec → IPSec proposal lists.

Image of a configuration menu for IKEv VPN connections detailing network rules, VPN general settings, communication management, IKE proposals, encryption, and authentication settings within a user interface.

1.10) Create a new IPSec proposal list with the following values:

  • Identification: Enter a unique name for the new list.
  • Proposal: Select the IPSec proposal created in step 1.8.

Image displays a technical configuration interface with various VPN security proposal settings listed, including encryption standards and connection protocols.

1.11) Switch to the menu VPN → IKE/IPSec → IKE keys and identities.

Screenshot of a VPN configuration interface detailing IKE VPN connections, connection parameters, IKE proposals, and security authentication methods.

1.12) Add a new entry with the following values:

  • Identification: Enter a unique name for the new entry.
  • Pre-shared key: Set a complex password that is used as a preshared key.
  • Local identity type: Please set this field to No identitiy.
  • Local identity: This field has to stay empty.
  • Remote identity type: Please set this field to No identitiy.
  • Remote identity: This field has to stay empty.

A screenshot of a technical user interface for configuring cryptographic security settings, including fields for preshared key and local identity.

1.13) Switch to the menu VPN → IKE/IPSec → Connection parameters.

Screenshot of a VPN configuration interface displaying options for IKE VPN connections, management network rules, date and time settings, and various security protocols including IKE proposals and IPSec configurations.

1.14) Add a new entry with the following values:

  • Identification: Enter a unique name for the new entry.
  • PFS group: Set this to group 14.
  • IKE group: Set this to group 14.
  • IKE proposals: This is set to the IKE proposal list created in step 1.6.
  • IKE key: This is set to the entry created in step 1.12.
  • IPSec proposals: This is set to the IPSec proposal list created in step 1.10.

Image of a technical configuration interface displaying settings for a VPN connection, including identification, proposal groups, and key settings specific to network security protocols.

1.15) Switch to the menu VPN → IKE/IPSec → Connection list.

Image of a complex VPN configuration interface showing tables for managing IKE VPN connections, network rules, connection properties, IKE proposals, communication protocols, and security settings.

1.16) Add a new entry with the following values:

  • Connection name: Enter a unique name for the new entry.
  • Short hold time: This is set to value 0. This means that the LANCOM router does not actively establish the VPN connection, but it accepts a request to connect from the FRITZ!Box.
  • Dead Peer Detection: This value is set to 60 seconds.
  • Gateway: Enter the public IP address or the public DNS address of the FRITZ!Box.
  • Connection parameters: Here you select the profile created in step 1.14.
  • This example uses No dynamic VPN.
  • The IKE exchange mode must be set to Main mode.
  • Rule creation: Set this option to Manual.

Screenshot of a VPN configuration interface displaying various connection settings including dynamic VPN options and IP transmission methods.

1.17) Navigate to the menu Firewall/QoS → IPv4 rules → Rules.

1.18) Create a new firewall rule with the following parameters:

  • On the General tab, set a name for the rule and specify that This rule is used to create VPN network relationships (SAs).
  • Go to the Actions tab and set the action to ACCEPT.
  • On the Stations tab, set the upper box to the object LOCALNET. In the lower box, select the VPN remote site created in step 1.16.
  • On the Services tab, the default settings are left unchanged.

Screenshot of a technical configuration interface highlighting various network rule actions, connection protocols, and services for data packet management.

1.19) Navigate to the menu IP router → Routing → IPv4 routing table.

1.20) Create a route that points to the local network at the remote site.

  • In this example, this is the network with the IP address range 192.168.192.0/24.
  • Set the router as the VPN remote site created in step 1.16.

Screenshot of a technical configuration interface displaying various network settings including remote sites access, IP routing tables, and timed control options for network communication.

1.21) Close the dialog using the OK button and write the configuration back to the LANCOM router.



2) Configuring the VPN connection on the FRITZ!Box:

2.1) Use the configuration file attached below and use a text editor to adjust the following items:

fritzbox_DH14AES256-20171128.cfg

  • name: Enter a name for the VPN connection.
  • always_renew: Enter yes here, so that the FRITZ!Box can actively establish the VPN connection after a disconnect.
  • remoteip: Enter the public IP address of the LANCOM router. In this example, this is the IP address 82.82.82.82.
  • mode: In this example a main-mode connection is established, so you enter the value phase1_mode_idp.
  • phase1ss: Here you enter the parameter dh14/aes/sha.
  • keytype: The value connkeytype_pre_shared is required here. This specified that a preshared key is used.
  • key: Here you enter the preshared key that you set in step 1.12.
  • phase2localid: Here you enter the address range of the local network at the FRITZ!Box and the corresponding net mask. In this example, the address range is 192.168.192.0 and the net mask is 255.255.255.0.
  • phase2remoteid: Here you enter the address range of the local network at the LANCOM router and the corresponding net mask. In this example, the address range is 192.168.7.0 and the net mask is 255.255.255.0.
  • phase2ss: Here you enter the parameters esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs.
  • accesslist: Since all of the devices of the network at the remote are to be reached, the parameter here must be set to permit ip any 192.168.7.0 255.255.255.0.

Screenshot of a VPN configuration interface displaying various settings such as connection type, security protocols, local and remote IPs, and encryption details.
2.2) Open the configuration interface for the FRITZ!Box and navigate to the menu item Internet → VPN.

2.3) Add a new VPN connection.

2.4) Select the option Import a VPN configuration from an existing VPN setup file. Click on Next.

2.5) Upload the newly created configuration file to the FRITZ!Box.

2.6) After uploading the configuration file, the FRITZ!Box establishes the VPN connection to the LANCOM router.


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH