CryptoStatistical
commented
11 months ago First of all, I would like to thank you very much for your tutorials, as they have been of great help in setting up the configuration. What I needed was the 'RoadWarrior' mode, where the FritzBox router is behind NAT and, therefore, doesn't have a public IP. What I needed (in short) was to assign a single IP to the VPN server and providing a public IP to the fb. However I couldn't establish a connection with StrongSwan from the FB3272 (old model) since it only supported 3DES for the ESP protocol, which I got from your configuration and this saved me a HUGE amount of time.
What I wanted to point out are two things: firstly, it's incorrect to assign an internal IP to the server within the FritzBox's subnet. In your case, the wrong IP it's 192.168.178.3 (although there is a typo in the configuration that says 192.178.168.3). The IP to be assigned to the VPN server (left) should NOT be part of the same subnet as the FritzBox, as the FritzBox doesn't allow traffic between devices not present in the list of connected devices. The IP should be something like 192.168.179.3, belonging to an external subnet, in order to allow access to the entire 192.168.178.0/24 network. Otherwise, the IP will only be able to see the router's IP but not the subnet behind it.
Additionally, there is a rekeying problem, so sometimes when rekeying occurs, the device would freeze. I resolved this by extending the keylife times and adding rekeymargin=2m and rekeyfuzz=100% as parameters.
Giorgio
Fritz-Box VPN with strongswan and DS-Lite - itooktheredpill
https://itooktheredpill.irgendwo.org/2021/fritz-box-vpn/