This page describes how to establish an encrypted VPN (Virtual Private Network) connection using IPsec (Internet Protocol Security) from a machine running M0n0wall to a FRITZ!Box device. The latter is a product of the German company AVM. In the following example the device running M0n0wall acts as a client. Testing was done using M0n0wall 1.33 (released March 16, 2011) and Fritz!Box Fon WLAN 7390, firmware version 84.04.88.

Please consult AVM's VPN portal, too.

M0n0wall configuration

Enable IPsec and create a new tunnel with the following settings:

DPD interval 60 seconds
Local subnet LAN subnet; IP network must not overlap with remote subnet
Remote subnet IPv4 subnet behind remote Fritz!Box; this is unless the Fritz!Box' IP settings have been changed
Remote gateway IPv4 address or host name of remote peer, e.g.

Phase 1 proposal (Authentication)

Negotiation mode aggressive (“main” works only when both peers have a static IP address or X509 certificates are used for authentication)
My identifier Choose “domain name” and enter DNS name of local site, e.g.; can be a dynamic DNS name
Encryption algorithm AES
Hash algorithm SHA1
DH key group 2 (1024 bit)
Lifetime 3000 seconds
Authentication method Pre-shared key
Pre-shared key Enter a long, random string (e.g. output of pwgen -s 200 1)

Phase 2 proposal (SA/Key Exchange)

Protocol ESP
Encryption algorithms Disable all except “Rijndael (AES)”
Hash algorithms SHA1 only
PFS key group 2 (1024 bit)
Lifetime 3000 seconds

Fritz!box configuration

VPN settings need to be uploaded as a file. Copy the following configuration into a text file, replace the placeholders with your settings, and upload the file to your Fritz!Box device. Comments can be included using /* … */.

vpncfg {
  connections {
    enabled = yes;
    conn_type = conntype_lan;
    /* Connection name */
    name = "";
    always_renew = no;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;
    localip =;
    local_virtualip =;
    remoteip =;
    remote_virtualip =;
    localid {
      /* Server's DNS name */
      fqdn = "";
    remoteid {
      /* Client's DNS name */
      fqdn = "";
    mode = phase1_mode_aggressive;
    phase1ss = "alt/all/all";
    keytype = connkeytype_pre_shared;
    /* Pre-shared key generated for M0n0wall configuration */
    key = "pre-shared key";
    cert_do_server_auth = no;
    use_nat_t = yes;
    use_xauth = no;
    use_cfgmode = no;
    phase2localid {
      ipnet {
        /* IP network behind Fritz!Box (default */
        ipaddr =;
        mask =;
    phase2remoteid {
      ipnet {
        /* Client's IP network */
        ipaddr =;
        mask =;
    phase2ss = "esp-all-all/ah-none/comp-all/pfs";
    /* Permit client's network */
    accesslist = "permit ip any";
  ike_forward_rules = "udp",