[strongSwan] Fwd: Re: FritzBox to Strongswan

Mirko Parthey mirko.parthey at web.de
Fri Nov 25 14:09:22 CET 2016

On Fri, Nov 25, 2016 at 10:34:20AM +0100, post at daniel-pomrehn.de wrote:
> I did some further google research and changed some settings. Now I get
> another error:
> sending packet: from[500] to[500] (1188 bytes)
>   sending packet: from[500] to[500]
>   error writing to socket: Invalid argument

I cannot answer this, maybe someone else can help.

> Nov 25 10:30:59 srv charon: 09[IKE] initiating IKE_SA fritz2swan[1] to

strongSwan is the initiator here, and your config is set to Main Mode
(the default).

With strongSwan as the initiator and FritzBox as the responder, only
aggressive mode will work reliably. This mode is insecure because it exposes
the PSK to dictionary attacks. Maybe you could make strongSwan responder-only
and stay with main mode?  Remove right=dyn.fritzbox to go this route.
Otherwise, if you want to use aggressive mode despite the risks, at least use a
long and randomly generated PSK.

> conn fritz2swan
>         ike=aes128-sha-modp1024
> It is a fritzbox 7490 with the latest Firmware 6.60

modp1024 does not provide enough security, modp2048 or more would be better.

The FritzBox 7490 can be configured for modp2048 as follows:
phase1ss = "dh14/aes/sha";

>         ikelifetime=4h
>         keylife=1h

The FritzBox uses a lifetime of 1h for IKE and IPsec SAs.
IKEv1 does not negotiate SA lifetimes, so I would recommend to
set both to 1h in strongSwan too.


More information about the Users mailing list