VPN via FritzBox on Windows

This howto is tested on Windows XP SP3 and Windows 7. Probably it also will work on Windows Vista. The router I used is the Fritz!Box WLAN 7170, but the tools for the other Fritz!Boxes like the Fritz!Box 7270 are the same, so it will also work for the other Fritz!Box routers with VPN capabilities.

Replacement for the unstable FRITZ!VPN client

This post describes the configuration of a replacement for the unstable official FRITZ!VPN client (English v01.01.03 or German v01.02.02).

This replacement is the Shrew Soft VPN client, which can be downloaded (for Windows) from: shrew.net/download/vpn

Installing the ShrewSoft VPN client

To use this client, do the following steps:

  1. Download and install the ShrewSoft VPN client.
  2. Accept all warnings and when installing, press Next in all screens.
  3. Select that you trust software from Shrew Soft and press OK.
  4. Then press Finished

Configuring the ShrewSoft VPN client

Start the VPN client with the following menu path:

Start->All Programs->ShrewSoft VPN Client->Access Manager

Click on the ‘Add’-button to Add your VPN connection.

The General tab

Remote Host:

  • Host Name or IP Address: fill in your Fritz!Box router external IP nr at ‘yourrouterIPnr‘.You can find your external IP address, when you are using the router, goto: checkip.dyndns.com
  • Leave the other settings as default.

The Client Tab

The default settings are ok.

The Name Resolution tab

WINS / DNS:

  • Deselect ‘Enable WINS’
  • Deselect ‘Enable DNS’

The Authentication->Local Identity tab

  • Authentication Method select: Mutual PSK
  • Identification Type select: User Fully Qualified Domain Name
  • Fill in at UFQDN String, your VPN email address: yourmailadres@example.com (which is also used for the VPN cfg-file)

Remark: Select ‘User Fully Qualified Domain Name’ and not of ‘Fully Qualified Domain Name’. You can make easily this mistake. Otherwise it will not work!

The Authentication->Remote Identity tab

  • Select at Identification Type: IP Address
  • Leave the other settings as default.

The Authentication->Credentials tab

Now open the VPN user configuration file in an editor. This file is generated by the program ´Configure FRITZ!Box VPN Connection´.

  • The filename is something like: vpnuser_yourmailadres_example_com.cfg
  • Search in the .cfg-file to the key-value. You can find this in the structure targets.policies.key. Copy the key value without the quotes.
  • Past the key-value in the ‘Pre Shared Key‘ field.

The Phase1 tab

Proposal Parameters:

  • Exchange Type select: aggressive
  • DH Exchange select: group 2
  • Cipher Algorithm select: aes
  • Cipher Key Length select: 256
  • Hash Algorithm select: sha1
  • Key Life Time limit: 3600 Secs
  • Key Life Data limit: 0 Kbytes

The Phase2 tab

Proposal Parameters:

  • Transform Algoritm select: esp-aes
  • Transform key length select: 256
  • HMAC Algorithm select: sha1
  • PFS Exchange select: group 2
  • Compress Algorithm select: deflate
  • Key Life Time limit: 3600 Secs
  • Key Life Data limit: 0 Kbytes

The Policy tab

IPSec Policy Configuration:

  • Deselect ‘Maintain Persistent Security Associations
  • Deselect ‘Obtain Topology Automatically or Tunnel All

  • Click on Add
  • Type select: Include
  • Fill in your remote network Address: 192.168.2.0 (in our case)
  • Netmask: 255.255.255.0

  • Click on ‘Save‘ to save your complete VPN Site configuration
  • Now your VPN connection name/IP address is selected, you can change it in a readable VPN name

Testing the VPN

  • Click on your VPN connection name
  • Click on ‘Connect
  • Click in this new window again on ‘Connect
  • The VPN connection will be build up
  • You can minimize this window, but if you close this window, the VPN will also be closed.

Shrew Soft VPN Access Manager Preferences

To show the VPN Access Manager in the system tray, do the following:

  • Go to menu: File->Preferences
  • Access Manager, Windows Style select: Visible in System Tray only
  • VPN Connect, Window Style select: Visible in System Tray only
  • Select: Minimize when connection succeeds
  • Click on OK

This article belongs to the Fritz!Box VPN guide.
The other articles in the guide are:

  1. Fritz!Box VPN
  2. Configuring the Fritz!Box router
  3. VPN via FritzBox on Windows
  4. VPN via FritzBox on Linux

19 responses to “VPN via FritzBox on Windows”

  1. MXW says:

    Hello Arjan

    Thanks for this guide. But I got exactly the same problem as HeinA did, and the link in your solution points to nothing right now.

    Could you tell me what your solution is about? Thanks!

    – MXW

    • Arjan says:

      Indeed the link did not work anymore, but I updated the comment with a Google search string.

      • MXW says:

        Thanks for your answer, Arjan. I found out the problem later. It was because there was a firewall between the client and Fritz!Box. Now it is working well.

  2. Peter says:

    Good guide, thanks.

  3. Andrew says:

    Great guide. Work first time for me. I’ve been searching for a windows 7 solution for ages. So happy to have found this. Great Stuff

  4. Bob says:

    Hi
    I used to use fritz vpn in windows vista.
    I have now tested shrewsoft in Ubuntu 12.04, current version (v. 2.1.7) and in phase 2 there is no esp-aes option. Could you please what is the one that should be selected from following?
    auto / aes / blowfish / 3des / des / cast?
    In the fritzbox it says connecting but I have no success (green light).
    thank you

  5. Bob says:

    Thanks a lot Arjan
    I apologize for posting in wrong place; dependencies are all installed but I have to uninstall 2.1.7 and compile 2.1.5. now; I hope I manage it.

  6. Arjan says:

    Hi Bob, did it work with version 2.1.5?

  7. Bob says:

    Hi Arjan
    No, I could not compile it (so I could not run this version).
    It stopped at:
    Unable to locate openssl crypto include files
    I looked for solution to this problem which refers to the installed ubuntu libs but I have tried everything with no success.
    In my windows install, fritzvpn works with phase2ss = “esp-all-all/ah-none/comp-all/pfs
    Thanks a lot for your interest; maybe you think of a solution ;)

  8. Bob says:

    Hi Arjan
    Problem is solved with 2.1.7 version. I used aes in group2. Solution is after connecting, I should ping my network printer (e.g. ping 192.168.178.23) or network disk. After doing this, in network tab of shrewsoft says established and also in fritz!box menu vpn goes to active and connected!
    Thanks

  9. Wolffy says:

    Hi,
    I would really like some setup advice via the standard WinXP “network connection” package – I.e. VPN client setup without having to install a 3rd party software if possible ???

    I thought it would be fairly straight forward to setup a number of PC’s however, this makes it quite annoying to setup my GF’s work PC to access stuff…..

    Thanks.

    • Arjan says:

      Windows uses by default PPTP and this is in the standard Fritzbox not available I think.
      You can run a PPTP server on the other side, like buying a Synology DiskStation. This will be easy to setup.

  10. Antoine says:

    Thanks for this guide. Fritz official app setup crashes on my system… With this solution it works.

  11. HeinA says:

    Hi there. Nice to find some info on the Fritzbox in english :) I followed your instructions to the letter, but when I try to connect I get a "negotiation timeout occurred" error. do you know what could cause this? Thanx Hein

  12. Arjan says:

    Hi Hein,

    Maybe this is your solution:
    lists.shrew.net/pipermail/vpn-help/2009-December/002529.html

    Update: The link did not work anymore, but use this search string in Google:
    site:lists.shrew.net “negotiation timeout occurred”

    Success,

    Arjan

  13. Roger says:

    Thanks :-)
    This was a good information. It works very well in Windows 7 Starter :-)
    Except if I’m on a LAN with the same address as at home, then it is not working.
    But is there any possibility to avoid the splited network so that all internet traffic goes through my FritzBox when I surf the internet so I’m invisible to hackers in the local network and it looks like I’m home when I visit websites?
    To get access to my computer at home I have to put on sharing, so I think I’m visible on the LAN where I am? And to connect to computers at home I have to use the IP address, I can not use the computer name? Is there any solution for these?
    Thanks.
    Roger.

  14. Arjan says:

    I am glad it works for you in Windows 7!

    Until now I do not have a solution when both of the network address are the same. This because the routing of the packets is based on the split network addresses. So I am afraid that it is not easy to go around this principle. Maybe there is way, but I not aware of that. 

Leave a comment

XHTML These tags can be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>