Getting Fritz!Box LAN-LAN VPN to work for @xs4all connections despite lack of @AVM_DE support
Posted by jpluimers on 2016/01/22
This is a follow-up of my post Fritz!Box VPN error messages.
I had been failing to get a LAN-LAN connection between two xs4all Fritz!Box internet connections working, despite the description in [WayBack] Adapting a VPN connection from FRITZ!Box to FRITZ!Box (LAN-LAN) | AVM International.
I was keeping the 0x1C error, and eventually contacted the customer support. At first they redirected me again to the documentation, so I replied with detailed PDFs for both Fritz!Box devices containing detailed information about:
- both their internet connectivity
- both their internal network settings
- both their error logs
- both their VPN configuration (including LAN-LAN and personal entries)
I got a reply back that – paraphrased – went like “We cannot provide network-administration-support, but VPN support of Fritz!Box in general works fine, so please read these pages”:
- [WayBack] http://en.avm.de/nc/service/fritzbox/fritzbox-7360/knowledge-base/publication/show/687_Cannot-establish-a-VPN-connection-between-two-FRITZ-Box-networks/
- [WayBack] http://en.avm.de/nc/service/fritzbox/fritzbox-7360/knowledge-base/publication/show/126_Configuring-a-firewall-for-FRITZ-VPN/
Given that they knew both connections were xs4all (which out-of-the-box doesn’t firewall), the PDFs didn’t indicate any firewall configuration and support not asking if the individual VPN connections worked (they do) but just blaming me or the Firewall is blatant, especially since they did not explain what the error codes meant.
Besides I already had read those pages and tried all the suggested solutions (more than a day work, as there are many suggested steps, Fritz!Box devices tend to reboot on many configuration change types and their DSL training is slow at best).
After the email, I went back to the drawing board based in this one twitter conversation that was partially useful (but failed to indicate more error codes and also pointed me to their email helpdesk which failed miserably).
The IKE-error 0x1C can mean that the remote IP doesn’t match the expected IP.
So I tried this:
- ditch all the DNS names
- replace them with hard coded IPv4 addresses
Note that each time you change any of the LAN-LAN settings on a Fritz!Box, it will reboot which means that:
- if you had a personal VPN connection you will loose it for a few minutes
- any web-session you had to it will be invalidated (as a reboot flushes the active sessions)
Boom! It works!
Why might it have failed?
It now works despite the fact that both xs4all internet connections have valid DNS names resolving to IPv4 and having correct reverse-DNS from the IPv4 back to the DNS names:
xs8:~> dig +noall +answer mwgp.xs4all.nl snip.xs4all.nl ANY
mwgp.xs4all.nl. 45947 IN A 83.163.69.172
snip.xs4all.nl. 86400 IN A 80.100.143.119
xs8:~> dig +noall +answer 172.69.163.83.in-addr.arpa ANY
172.69.163.83.in-addr.arpa. 86400 IN PTR mwgp.xs4all.nl.
xs8:~> dig +noall +answer 119.143.100.80.in-addr.arpa ANY
119.143.100.80.in-addr.arpa. 86173 IN PTR snip.xs4all.nl.
Since xs4all provides both IPv4 and IPv6 connectivity, I have a strong feeling that is causing the failure.
These are abstracts of the configurations:
snip.xs4all.nl: fiber with a Fritz!Box 7490
- Internet, IPv4 connected …, XS4ALL FTTH,
- IP address: 80.100.143.119
- Internet, IPv6 connected …, XS4ALL FTTH,
- IPv6 address: 2001:982:2345::1, …,
- IPv6 prefix: 2001:982:2345::/48, …
- DNS servers used
- 194.109.6.66, 194.109.9.99
- 2001:888:0:6::66, 2001:888:0:9::99
mwgp.xs4all.nl: ADSL with a Fritz!Box 7360
- Internet, IPv4 connected …, XS4ALL,
- IP address: 83.163.69.172
- Internet, IPv6 connected …, XS4ALL,
- IPv6 address: 2001:983:6764::1, …,
- IPv6 prefix: 2001:983:6764::/48, …
- DNS servers used
- 194.109.6.66, 194.109.9.99
- 2001:888:0:6::66
What I think that happens is that while setting up an IKE connection – unless you specify hard-coded IPv4 addresses – some of the IPv6 bits are passed along. This makes the Fritz!Box devices on both sides look for the wrong entry in their VPN table causing them to log IKE-error 0x1C. Too bad they do not explain the 0x1C nor provide information about the details of the information mismatch.
You need to change the information in both places, and while the modems reboot or reset their connections, I got these log messages (in reverse order, thats how the Fritz!Box log works):
Fritz!Box 7360:
- VPN connection to 80.100.143.119 was established successfully.
- VPN error: 80.100.143.119, IKE-Error 0x2027
- VPN error: 80.100.143.119, IKE-Error 0x1c
- VPN error: snip.xs4all.nl, IKE-Error 0x1c
Fritz!Box 7490:
- VPN connection to 83.163.69.172 was established successfully.
- VPN connection to 83.163.69.172 has been cleared. Cause: 3 IKE server
- VPN connection to 83.163.69.172 was established successfully.
- VPN error: mwgp.xs4all.nl, IKE-Error 0x1c
I suggested to AVM that in the near future, they:
- stress in their documentation that if a failure of 0x1C occurs, that the customer should try hard-coding the IPv4 addresses
- log more information upon IKE errors
- look deeper in these issues as xs4all is an important partner of them
- explain in their documentation the meaning of the error codes
That was nine months ago. I really wonder what happened since then.
–jeroen
PS:
- [Archive.is] http://en.avm.de/fileadmin/user_upload/EN/Service/VPN/box_box-en.pdf
- A list of the security strategies permitted for IKE phase 2 or the IPSec phase [Arvhive.is] http://en.avm.de/fileadmin/user_upload/EN/Service/VPN/ike_1-en.pdf
- A list of the security strategies permitted for IKE phase 2 or the IPSec phase [Archive.is] http://en.avm.de/fileadmin/user_upload/EN/Service/VPN/ike_2-en.pdf
The Wiert Corner - irregular stream of stuff 
Fritz!Box 7360 and 7490: static routes over VPN don’t work « The Wiert Corner – irregular stream of stuff said
[…] case is that I’ve a VPN (see Getting Fritz!Box LAN-LAN VPN to work) between a Fritz!Box 7360 (having internal IP 192.168.24.1) and a Fritz!Box 7490 (having internal […]