Recommend:
To the knowledge base
Knowledge document #1627

Setting up an IPSec VPN between two FRITZ!Boxes for individual LAN sockets

When you set up an IPSec VPN connection between two FRITZ!Box networks, you can also restrict the VPN tunnel to individual LAN sockets on the FRITZ!Boxes.

This allows you, for example, to connect a home office or a POS system in one branch with the headquarters via a securely encrypted VPN tunnel, without allowing other devices in the branch to access the headquarters.

ATTENTION!The LAN sockets used for VPN can then only be used to access the remote network, but not devices in the local network. These LAN sockets are also no longer able to use the local FRITZ!Box to access the internet.

You can find an overview of additional VPN connection options in our guide VPN with FRITZ!.

Example values used in this guide

In this guide we show you how to connect devices connected to the 'LAN 2' socket of 'FRITZ!Box A' in a branch office with 'FRITZ!Box B' in the headquarters. When setting up the connection, replace the values used in this guide with your actual values.

Requirements / Restrictions

  • FRITZ!Box B (headquarters) must obtain either an IPv6 address or a public IPv4 address from the internet service provider. FRITZ!Box A (branch) must obtain an IP address with the same protocol version (IPv4 or IPv6) from the internet service provider.
  • FRITZ!OS 7.50 or later is installed on both of the FRITZ!Boxes.
  • On the LAN sockets selected for VPN, the entire network traffic is forwarded to the remote FRITZ!Box via the VPN connection.

Note:All instructions on configuration and settings given in this guide refer to the latest FRITZ!OS for the FRITZ!Box.

1 Preparations

Configuring MyFRITZ!

Register the FRITZ!Boxes with MyFRITZ!Net so that they can always be reached on the internet at fixed MyFRITZ! addresses:

  1. Create a MyFRITZ! account and set it up in both of the FRITZ!Boxes.

    Note:You can configure either the same or different MyFRITZ! accounts in both of the FRITZ!Boxes. Even if both FRITZ!Boxes use the same MyFRITZ! account, each FRITZ!Box has its own unique MyFRITZ! address.

Adapting the IP Networks

VPN communication is not possible if both FRITZ!Boxes use the same IP network. Since all FRITZ!Boxes use the IP network 192.168.178.0 in the factory settings, configure IP addresses from different IP networks in the FRITZ!Boxes:

Example:
In this guide, FRITZ!Box A (branch) has the IP address 192.168.20.1 (subnet mask 255.255.255.0) and FRITZ!Box B (headquarters) the IP address 192.168.10.1 (subnet mask 255.255.255.0).

Changing the FRITZ!Box's IP network
  1. Click on 'Home Network' in the FRITZ!Box user interface.
  2. Click on 'Network' in the 'Home Network' menu.
  3. Click on the 'Network Settings' tab.
  4. Click on 'Additional Settings' in the section 'LAN Settings' to display all of the settings.
  5. Click on the 'IPv4 Settings' button.
  6. Enter the desired IP address and subnet mask.
  7. Click on 'Apply' to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so.

2 Configuring FRITZ!Box A (branch)

  1. Click on 'Internet' in the user interface of FRITZ!Box A (branch).
  2. Click on 'Permit Access' in the 'Internet' menu.
  3. Click on the 'VPN (IPSec)' tab.
  4. Click on the 'Add VPN Connection' button.
  5. Click on 'Connect your home network with another FRITZ!Box network' and then on 'Next'.
  6. In the field 'VPN password (pre-shared key)', enter the password required to establish the VPN connection (secret1234). Use numerals and letters, and combine capitals and lower-case letters.
  7. Enter a unique name for the connection (FRITZ!Box headquarters) in the field 'Name of the VPN connection'.
  8. Enter the MyFRITZ! address of FRITZ!Box B (kw23qbmnj31x5aw75.myfritz.net) in the field 'Web address of the remote site'.
  9. Enter the IP network of FRITZ!Box B (192.168.10.0) in the 'Remote network' field. If the VPN tunnel should be limited to certain LAN sockets on FRITZ!Box B, enter the network prefix of these LAN sockets (192.168.11.0).
  10. In the 'Subnet mask' field, enter the subnet mask that corresponds to FRITZ!Box B's IP network (255.255.255.0).
  11. If you want to maintain the VPN connection to FRITZ!Box B all the time, enable the option 'Hold VPN connection permanently'.
  12. If access to SMB shared files in the remote network should be allowed, enable the option 'Allow NetBIOS over this connection'.
  13. Click on 'Advanced Settings for Network Traffic'.
  14. If only certain devices should be allowed to access the remote network, enable the option 'Only certain devices use the VPN connection' and select the corresponding devices.
  15. Enable the option 'VPN tunnel is available only at the selected LAN sockets of the FRITZ!Box'.
  16. Select the LAN sockets for which the VPN tunnel should be available.
  17. In the 'Network prefix' field, enter the IP network to be used by the LAN sockets you selected (192.168.21.0).
  18. In the field 'Subnet mask prefix', enter the subnet mask that corresponds to the IP network (255.255.255.0).
  19. Enter the IP address of the DNS server in the 'Preferred DNS server' field (192.168.10.1).
  20. Click on 'Apply' to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so.
  21. Restart FRITZ!Box A by unplugging the power cable from the electrical socket and plugging it in again after a few seconds.

3 Configuring FRITZ!Box B (headquarters)

  1. Click on 'Internet' in the user interface of FRITZ!Box B (headquarters).
  2. Click on 'Permit Access' in the 'Internet' menu.
  3. Click on the 'VPN (IPSec)' tab.
  4. Click on the 'Add VPN Connection' button.
  5. Click on 'Connect your home network with another FRITZ!Box network' and then on 'Next'.
  6. In the field 'VPN password (pre-shared key)', enter the password required to establish the VPN connection (secret1234).
  7. Enter a unique name for the connection (FRITZ!Box branch) in the field 'Name of the VPN connection'.
  8. Enter the MyFRITZ! address of FRITZ!Box A (pi80ewgfi72d2os42.myfritz.net) in the field 'Web address of the remote site'.
  9. Enter the IP network of FRITZ!Box A (192.168.21.0) used for the VPN tunnel in the 'Remote network' field.
  10. In the 'Subnet mask' field, enter the subnet mask that corresponds to FRITZ!Box A's IP network (255.255.255.0).
  11. If you want to maintain the VPN connection to FRITZ!Box A all the time, enable the option 'Hold VPN connection permanently'.
  12. If you also want to restrict the use of the VPN tunnel to certain LAN sockets on FRITZ!Box B:
    1. Click on 'Advanced Settings for Network Traffic'.
    2. Enable the option 'VPN tunnel is available only at the selected LAN sockets of the FRITZ!Box'.
    3. Select the LAN sockets for which the VPN tunnel should be available.
    4. In the 'Network prefix' field, enter the IP network to be used by the LAN sockets you selected (192.168.11.0).
    5. In the field 'Subnet mask prefix', enter the subnet mask that corresponds to the IP network (255.255.255.0).
    6. Enter the IP address of the DNS server in the 'Preferred DNS server' field. If you want to allow devices connected to the selected LAN sockets to use the Internet, enter the local IP address of FRITZ!Box A (192.168.20.1).
  13. Click on 'Apply' to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so.
  14. If you enabled the option 'VPN tunnel is available only at the selected LAN sockets of the FRITZ!Box', restart FRITZ!Box B by unplugging the power cable from the electrical socket and plugging it in again after a few seconds.

4 Establishing a VPN connection

If you enabled the option 'Hold VPN connection permanently' in the FRITZ!Boxes, the VPN connection will be maintained at all times.

If the option 'Hold VPN connection permanently' is not enabled, the VPN connection is automatically established when the remote network is accessed and it is cleared again if it has been inactive for one hour.

Note:Active VPN connections are displayed in the FRITZ!Box user interface under 'Overview' in the section 'Connections'.



Help topics:

Related topics:

Language selection