IPSec-Site-to-Site-Tunnel with Teltonika RUTC50 and FRITZ!Box 7590

Hello community,
I would like to create an IPSec tunnel (site-to-site) with a Teltonika RUTC50 and a FRITZ!Box 7590.
Local IP mask behind the RUTC50: 10.0.2.0/24
Local IP mask behind the Fritzbox: 10.0.2.0/24

Settings of the RUTC50:
Remote endpoint: xxxxx(.)myfritz(.)net
Authentication method: Pre-shared key
Pre shared key: xxxxxxx
Mode: Start
Type: Tunnel
Local subnet: 10.0.2.0/24
Remote subnet: 10.0.1.0/24
Key exchange: IKEv1
Aggressive: on
Local firewall: on
Dead peer detection: on
DPD action: Restart
Phase 1:
Encryption: AES 256
Authentication: SHA1
DH group: MODP1024
IKE lifetime: 8h
Phase 2:
Encryption: AES 256
Hash: SHA1
PFS group: MODP1024
Lifetime: 8h
All other settings are empty or off.

Settings of the Fritzbox:
VPN password (Preshared Key): xxxxxxx (the same as the pre shared key of the RUTC50)
Name of the VPN connection: Wohnwagen Bruno
Internet address of the remote site: xxxxx(.)dynv6(.)net
Internet address of this FRITZ!Box: xxxxx(.)myfritz(.)net
Remote Network: 10.0.2.0
Subnetmask: 255.255.255.0
Keep VPN-connection permanent: on
All other settings are empty or off.

Logfile from RUTC50:
Tue Sep 17 13:27:35 2024 daemon.info ipsec: 07[IKE] <HentHome-HentHome_c|1> initiating Aggressive Mode IKE_SA HentHome-HentHome_c[1] to 79.255.41.236
Tue Sep 17 13:27:35 2024 daemon.info ipsec: 07[ENC] <HentHome-HentHome_c|1> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Tue Sep 17 13:27:35 2024 daemon.info ipsec: 07[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 13:27:39 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|1> sending retransmit 1 of request message ID 0, seq 1
Tue Sep 17 13:27:39 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 13:27:46 2024 daemon.info ipsec: 13[IKE] <HentHome-HentHome_c|1> sending retransmit 2 of request message ID 0, seq 1
Tue Sep 17 13:27:46 2024 daemon.info ipsec: 13[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 13:27:59 2024 daemon.info ipsec: 15[IKE] <HentHome-HentHome_c|1> sending retransmit 3 of request message ID 0, seq 1
Tue Sep 17 13:27:59 2024 daemon.info ipsec: 15[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 13:28:15 2024 daemon.info ipsec: 00[IKE] <HentHome-HentHome_c|1> destroying IKE_SA in state CONNECTING without notification

Tue Sep 17 14:22:49 2024 daemon.info ipsec: 07[IKE] <HentHome-HentHome_c|1> initiating Aggressive Mode IKE_SA HentHome-HentHome_c[1] to 79.255.41.236
Tue Sep 17 14:22:49 2024 daemon.info ipsec: 07[ENC] <HentHome-HentHome_c|1> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Tue Sep 17 14:22:49 2024 daemon.info ipsec: 07[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 14:22:49 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|1> received packet: from 79.255.41.236[500] to 46.114.119.128[500] (56 bytes)
Tue Sep 17 14:22:49 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|1> parsed INFORMATIONAL_V1 request 2857047406 [ N(INVAL_ID) ]
Tue Sep 17 14:22:49 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|1> received INVALID_ID_INFORMATION error notify
Tue Sep 17 14:23:19 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|9> initiating Aggressive Mode IKE_SA HentHome-HentHome_c[9] to 79.255.41.236
Tue Sep 17 14:23:19 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|9> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Tue Sep 17 14:23:19 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|9> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 14:23:23 2024 daemon.info ipsec: 15[IKE] <HentHome-HentHome_c|9> sending retransmit 1 of request message ID 0, seq 1
Tue Sep 17 14:23:23 2024 daemon.info ipsec: 15[NET] <HentHome-HentHome_c|9> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 14:23:30 2024 daemon.info ipsec: 05[IKE] <HentHome-HentHome_c|9> sending retransmit 2 of request message ID 0, seq 1
Tue Sep 17 14:23:30 2024 daemon.info ipsec: 05[NET] <HentHome-HentHome_c|9> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 14:23:43 2024 daemon.info ipsec: 13[IKE] <HentHome-HentHome_c|9> sending retransmit 3 of request message ID 0, seq 1
Tue Sep 17 14:23:43 2024 daemon.info ipsec: 13[NET] <HentHome-HentHome_c|9> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (420 bytes)
Tue Sep 17 14:23:45 2024 daemon.info ipsec: 00[IKE] <HentHome-HentHome_c|9> destroying IKE_SA in state CONNECTING without notification

Logfile from Fritzbox:
17.09.24 13:28:17 VPN-Fehler: Wohnwagen Bruno, IKE-Error 0x203f [3 Meldungen seit 17.09.24 13:27:45]

17.09.24 14:23:45 VPN-Fehler: Wohnwagen Bruno, IKE-Error 0x203f [11 Meldungen seit 17.09.24 14:22:55]
17.09.24 14:22:52 VPN-Fehler: Wohnwagen Bruno, IKE-Error 0x1c

Can you tell me why the tunnel can’t be built?
Thank you very much.

Hello,

The description of the settings at the Fritzbox’s side seems incomplete, and at the RUTC50’s side:

• never use aggressive mode,
• parameters for IKEv1 and IKEv2 seem to be mixed, prefer IKEv2

Can you increase the log level of the Fritzbox ?
Regards,

Config-File from Fritzbox:
ipsecbridge {
enabled = no;
netinterface = “”;
vpnconnectionname = “Wohnwagen Bruno”;
prefix = 0.0.0.0;
netmask = 0.0.0.0;
dns1 = 0.0.0.0;
dns2 = 0.0.0.0;
}
vpncfg {
vpncfg_version = 3;
global {
wg_listen_port = 0;

connections {
enabled = no;
editable = yes;
use_ikev2 = no;
conn_type = conntype_lan;
name = “Wohnwagen Bruno”;
boxuser_id = 0;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = no;
localip = ::;
remoteip = ::;
local_virtualip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = “xxxxx(.)dynv6(.)net”;
keepalive_ip = 10.0.2.1;
localid {
fqdn = “$$$$XXXXXXXXXXXXXXXXXX”;
}
remoteid {
fqdn = “$$$$YYYYYYYYYYYYYYYYYY”;
}
mode = phase1_mode_aggressive;
phase1ss = “all/all/all”;
keytype = connkeytype_pre_shared;
key = “$$$$xxxxxxx”;
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.0.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.0.2.0;
mask = 255.255.255.0;
}
}
phase2ss = “esp-all-all/ah-none/comp-all/pfs”;
accesslist = “permit ip any 10.0.2.0 255.255.255.0”;
app_id = 0;
wg_persistent_keepalive = 0;
wg_slave_network = 0.0.0.0;
wg_slave_mask = 0.0.0.0;
wg_hide_network = no;
wg_fulltunnel = no;
wg_configured = no;

After Change from Key exchange to IKEv2 and Aggressive to off, the new Logfile from RUTC50:

Tue Sep 17 17:03:28 2024 daemon.info ipsec: 07[IKE] <HentHome-HentHome_c|1> initiating IKE_SA HentHome-HentHome_c[1] to 79.255.41.236
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 07[ENC] <HentHome-HentHome_c|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 07[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (948 bytes)
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|1> received packet: from 79.255.41.236[500] to 46.114.119.128[500] (38 bytes)
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|1> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|1> peer didn’t accept DH group MODP_1024, it requested MODP_2048
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|1> initiating IKE_SA HentHome-HentHome_c[1] to 79.255.41.236
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Sep 17 17:03:28 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (1076 bytes)
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[NET] <HentHome-HentHome_c|1> received packet: from 79.255.41.236[500] to 46.114.119.128[500] (432 bytes)
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[ENC] <HentHome-HentHome_c|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[CFG] <HentHome-HentHome_c|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[CFG] <HentHome-HentHome_c|1> no IDi configured, fall back on IP address
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[IKE] <HentHome-HentHome_c|1> authentication of ‘46.114.119.128’ (myself) with pre-shared key
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[IKE] <HentHome-HentHome_c|1> establishing CHILD_SA HentHome-HentHome_c{1}
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[ENC] <HentHome-HentHome_c|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 12[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[4500] to 79.255.41.236[4500] (528 bytes)
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 13[NET] <HentHome-HentHome_c|1> received packet: from 79.255.41.236[4500] to 46.114.119.128[4500] (96 bytes)
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 13[ENC] <HentHome-HentHome_c|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Tue Sep 17 17:03:29 2024 daemon.info ipsec: 13[IKE] <HentHome-HentHome_c|1> received AUTHENTICATION_FAILED notify error
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 10[IKE] <HentHome-HentHome_c|4> initiating IKE_SA HentHome-HentHome_c[4] to 79.255.41.236
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 10[ENC] <HentHome-HentHome_c|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 10[NET] <HentHome-HentHome_c|4> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (948 bytes)
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|4> received packet: from 79.255.41.236[500] to 46.114.119.128[500] (38 bytes)
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|4> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|4> peer didn’t accept DH group MODP_1024, it requested MODP_2048
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|4> initiating IKE_SA HentHome-HentHome_c[4] to 79.255.41.236
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Sep 17 17:03:58 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|4> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (1076 bytes)
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[NET] <HentHome-HentHome_c|4> received packet: from 79.255.41.236[500] to 46.114.119.128[500] (432 bytes)
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[ENC] <HentHome-HentHome_c|4> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[CFG] <HentHome-HentHome_c|4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[CFG] <HentHome-HentHome_c|4> no IDi configured, fall back on IP address
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[IKE] <HentHome-HentHome_c|4> authentication of ‘46.114.119.128’ (myself) with pre-shared key
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[IKE] <HentHome-HentHome_c|4> establishing CHILD_SA HentHome-HentHome_c{2}
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[ENC] <HentHome-HentHome_c|4> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 12[NET] <HentHome-HentHome_c|4> sending packet: from 46.114.119.128[4500] to 79.255.41.236[4500] (528 bytes)
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 13[NET] <HentHome-HentHome_c|4> received packet: from 79.255.41.236[4500] to 46.114.119.128[4500] (96 bytes)
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 13[ENC] <HentHome-HentHome_c|4> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Tue Sep 17 17:03:59 2024 daemon.info ipsec: 13[IKE] <HentHome-HentHome_c|4> received AUTHENTICATION_FAILED notify error

Thanks for your help…

Apparently both ends disagree on a common ID, the IKE_AUTH step fails.
It would be interesting to have detailed logs of the other end.

Unfortunately, the Fritzbox does not output detailed error logs.

From the FB config:

Can you change that ?

From the RUT config:

Set it to MODP2048.

I did it.

The new settings from RUTC50:
Remote endpoint: xxxxx(.)myfritz(.)net
Authentication method: Pre-shared key
Pre shared key: xxxxxxx
Mode: Start
Type: Tunnel
Local subnet: 10.0.2.0/24
Remote subnet: 10.0.1.0/24
Key exchange: IKEv2
Aggressive: off
Local firewall: on
Dead peer detection: on
DPD action: Restart
Phase 1:
Encryption: AES 256
Authentication: SHA1
DH group: MODP2048
IKE lifetime: 8h
Phase 2:
Encryption: AES 256
Hash: SHA1
PFS group: No PFS
Lifetime: 8h
All other settings are empty or off.

Settings of the Fritzbox:
I haven’t changed anything in the settings of the Fritzbox.

Logfile from RUTC50:
Tue Sep 17 19:20:02 2024 daemon.info ipsec: 07[IKE] <HentHome-HentHome_c|1> initiating IKE_SA HentHome-HentHome_c[1] to 79.255.41.236
Tue Sep 17 19:20:02 2024 daemon.info ipsec: 07[ENC] <HentHome-HentHome_c|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Sep 17 19:20:02 2024 daemon.info ipsec: 07[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (1076 bytes)
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|1> received packet: from 79.255.41.236[500] to 46.114.119.128[500] (432 bytes)
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[CFG] <HentHome-HentHome_c|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[CFG] <HentHome-HentHome_c|1> no IDi configured, fall back on IP address
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|1> authentication of ‘46.114.119.128’ (myself) with pre-shared key
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[IKE] <HentHome-HentHome_c|1> establishing CHILD_SA HentHome-HentHome_c{1}
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[ENC] <HentHome-HentHome_c|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 11[NET] <HentHome-HentHome_c|1> sending packet: from 46.114.119.128[4500] to 79.255.41.236[4500] (528 bytes)
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 12[NET] <HentHome-HentHome_c|1> received packet: from 79.255.41.236[4500] to 46.114.119.128[4500] (96 bytes)
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 12[ENC] <HentHome-HentHome_c|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Tue Sep 17 19:20:03 2024 daemon.info ipsec: 12[IKE] <HentHome-HentHome_c|1> received AUTHENTICATION_FAILED notify error
Tue Sep 17 19:20:32 2024 daemon.info ipsec: 10[IKE] <HentHome-HentHome_c|4> initiating IKE_SA HentHome-HentHome_c[4] to 79.255.41.236
Tue Sep 17 19:20:32 2024 daemon.info ipsec: 10[ENC] <HentHome-HentHome_c|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Sep 17 19:20:32 2024 daemon.info ipsec: 10[NET] <HentHome-HentHome_c|4> sending packet: from 46.114.119.128[500] to 79.255.41.236[500] (1076 bytes)
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[NET] <HentHome-HentHome_c|4> received packet: from 79.255.41.236[500] to 46.114.119.128[500] (432 bytes)
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[ENC] <HentHome-HentHome_c|4> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[CFG] <HentHome-HentHome_c|4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[CFG] <HentHome-HentHome_c|4> no IDi configured, fall back on IP address
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[IKE] <HentHome-HentHome_c|4> authentication of ‘46.114.119.128’ (myself) with pre-shared key
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[IKE] <HentHome-HentHome_c|4> establishing CHILD_SA HentHome-HentHome_c{2}
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[ENC] <HentHome-HentHome_c|4> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 07[NET] <HentHome-HentHome_c|4> sending packet: from 46.114.119.128[4500] to 79.255.41.236[4500] (528 bytes)
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 09[NET] <HentHome-HentHome_c|4> received packet: from 79.255.41.236[4500] to 46.114.119.128[4500] (96 bytes)
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 09[ENC] <HentHome-HentHome_c|4> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Tue Sep 17 19:20:33 2024 daemon.info ipsec: 09[IKE] <HentHome-HentHome_c|4> received AUTHENTICATION_FAILED notify error

“Logfile” from Fritzbox:
17.09.24 19:20:48 VPN-Fehler: Wohnwagen Bruno, IKE-Error 0x2026 [3 Meldungen seit 17.09.24 19:20:16] (no proposal chosen)

The remoteid field doesn’t appear to be set on the RUT. Idem for the localid field.
Check that they match the values on the FB.

What do you mean exactly?
What exactly should I change?
Sorry, that topic is not my speciality.

Have you set the two fields ‘Local identifier’ and ‘Remote identifier’ they are just below the ‘Pre-shared key’ one ?
Or check the /etc/config/ipsec file, you should have something like:

        option local_identifier 'abcd'
        option remote_identifier 'efgh'

Hier eine Anleitung, mit der auch wenig Netzwerk affine Leute zurecht kommen sollten:

Sicher verbunden mit der Fritzbox per VPN - PC-WELT

Das Wichtigste ist, dass die Identifier stimmen und die 2 Netzwerke, die hier miteinander verbunden werden sollen, unterschiedliche IP-Subnetze verwenden!

Das habe ich alles gemacht.
Jedoch beschreibt der Artikel nicht eine IPSec-Site-to-Site-Verbindung zwischen Fritzbox, die man relativ wenig konfigurieren kann, mit einem Router, bei dem man nahezu alles einstellen kann.

Hab ich alles selber schon konfiguriert, zwischen MikroTik (wirklich ALLES konfigurierbar hier) und FB7590 (total kastriert das Teil).
Was mich dazu geführt hat, anstatt IPSec (mittlerweile “veraltet” und “langsam”) auf das wesentlich neuere und massiv performantere WireGuard zu setzen.
Hast du dich damit schon mal auseinandergesetzt?
Wesentlich einfacher zu konfigurieren (fast schon „idiotensicher“).
Deine FB7590 kann das auch!

this is a How To for Site-to-Site VPN with FritzBox and RUT950 - Crowd Support Forum | Teltonika Networks

Diesen Post hast du gesehen?

I agree, Wireguard is much easier to setup and a lot faster (~2x).
If you can’t switch to WG, then execute the following commands on FB:

/system logging
add prefix=ipsec topics=ipsec

we will then see why the authentication fails.

Gerne, hast du dazu ne gute Anleitung?
Ich danke dir…

Lass uns IPSec zum laufen kriegen und WireGuard googelst du du dir dann zusammen, ok?
Dann kannst du alles parallel machen und schön umsteigen auf WireGuard.

Mach mal alles wie im Link den ich dir geschickt hab und wenn‘s nicht klappt, schicke die Logeinträge wie von @flebourse erwähnt.

It’s done, Wireguard is running. Thank you for your support…
Hat sich erledigt, Wireguard läuft. Danke für eure Unterstützung…

Wow - that was quick
Glad to hear all is fine now!
And: Wireguard was the better decision