Recommend:
To the knowledge base

Setting up an IPSec VPN between two FRITZ!Box networks

IPSec allows you to connect two FRITZ!Box networks at different locations over the internet via a secure, encrypted VPN connection (LAN-LAN linkup). This allows you to access all of the devices in the remote network and use all of the IP-based services such as email servers, data banks, and file servers at both locations.

You can find an overview of additional VPN connection options in our guide VPN with FRITZ!.

Example values used in this guide

In this guide we show you how to connect "FRITZ!Box A" in a branch with "FRITZ!Box B" in the headquarters. When setting up the connection, replace the values used in this guide with your actual values.

Requirements / Restrictions

  • FRITZ!Box B (headquarters) must either obtain an IPv6 address or a public IPv4 address from the internet service provider. FRITZ!Box A (branch) must obtain an IP address with the same protocol version (IPv4 or IPv6) from the internet service provider.
  • FRITZ!OS 7.50 or later is installed on both of the FRITZ!Boxes.

Note:All instructions on configuration and settings given in this guide refer to the FRITZ!Box 6820 LTE v2, v3, and v4 with the latest FRITZ!OS, the FRITZ!Box 6820 LTE v1 may vary.

1 Preparations

Configuring MyFRITZ!

Register the FRITZ!Boxes with MyFRITZ!Net so that they can always be reached on the internet at fixed MyFRITZ! addresses:

  1. Create a MyFRITZ! account and set it up in both of the FRITZ!Boxes.

    Note:You can either configure the same or different MyFRITZ! accounts in both of the FRITZ!Boxes. Even if both FRITZ!Boxes use the same MyFRITZ! account, each FRITZ!Box has its own unique MyFRITZ! address.

Adjusting the IP networks

VPN communication is not possible if both FRITZ!Boxes use the same IP network. Since all FRITZ!Boxes use the IP network 192.168.178.0 in the factory settings, configure IP addresses from different IP networks in the FRITZ!Boxes:

Example:
In this guide, FRITZ!Box A (branch) has the IP address 192.168.20.1 (subnet mask 255.255.255.0) and FRITZ!Box B (headquarters) the IP address 192.168.10.1 (subnet mask 255.255.255.0).

Changing the FRITZ!Box's IP network
  1. Click "Home Network" in the FRITZ!Box user interface.
  2. Click "Network" in the "Home Network" menu.
  3. Click on the "Network Settings" tab.
  4. Click "Additional Settings" in the section "LAN Settings" to display all of the settings.
  5. Click the "IPv4 Settings" button.
  6. Enter the desired IP address and subnet mask.
  7. Click "Apply" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so.

2 Configuring FRITZ!Box A (branch)

  1. Click "Internet" in the user interface of FRITZ!Box A (branch).
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN (IPSec)" tab.
  4. Click the "Add VPN Connection" button.
  5. Click "Connect your home network with another FRITZ!Box network" and then "Next".
  6. In the field "VPN password (pre-shared key)", enter the password required to establish the VPN connection (secret1234). Use numerals and letters, and combine capitals and lower-case letters.
    Configuring an IPSec connection in FRITZ!Box A (branch)
  7. Enter a unique name for the connection (FRITZ!Box headquarters) in the field "Name of the VPN connection".
  8. Enter the MyFRITZ! address of FRITZ!Box B (kw23qbmnj31x5aw75.myfritz.net) in the field "Web address of the remote site".
  9. Enter the IP network of FRITZ!Box B (192.168.10.0) in the "Remote network" field.
  10. In the "Subnet mask" field, enter the subnet mask that corresponds to FRITZ!Box B's IP network (255.255.255.0).
  11. If you want to maintain the VPN connection all the time and the FRITZ!Box has a public IPv4 address, enable the option "Hold VPN connection permanently".
  12. If access to SMB shared files in the remote network should be allowed, enable the option "Allow NetBIOS over this connection".
  13. Click "Advanced Settings for Network Traffic".
  14. If you do not only want to use the VPN connection to access the remote network, but also want all web requests to be sent to FRITZ!Box B (headquarters), enable the option "Send all network traffic via the VPN connection".
  15. If only certain devices should be allowed to access the remote network, enable the option "Only certain devices use the VPN connection" and select the corresponding devices.
  16. Click "Apply" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so. The internet connection will be cleared briefly and then re-established right away.

3 Configuring FRITZ!Box B (headquarters)

  1. Click "Internet" in the user interface of FRITZ!Box B (headquarters).
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN (IPSec)" tab.
  4. Click the "Add VPN Connection" button.
  5. Click "Connect your home network with another FRITZ!Box network" and then "Next".
  6. In the field "VPN password (pre-shared key)", enter the password required to establish the VPN connection (secret1234).
    Configuring an IPSec connection in FRITZ!Box B (headquarters)
  7. If the field "Name of the VPN connection" is displayed, enter a unique name (FRITZ!Box branch) for the connection.
  8. Enter the MyFRITZ! address of FRITZ!Box A (pi80ewgfi72d2os42.myfritz.net) in the field "Web address of the remote site".
  9. Enter the IP network of FRITZ!Box A (192.168.20.0) in the "Remote network" field.
  10. In the "Subnet mask" field, enter the subnet mask that corresponds to FRITZ!Box A's IP network (255.255.255.0).
  11. If you want to maintain the VPN connection all the time, enable the option "Hold VPN connection permanently".
  12. If access to SMB shared files in the remote network should be allowed, enable the option "Allow NetBIOS over this connection".
  13. Click "Apply" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so. The internet connection will be cleared briefly and then re-established right away.

4 Establishing a VPN connection

If you enabled the option "Hold VPN connection permanently" in the FRITZ!Boxes, the VPN connection will be maintained at all times.

If the option "Hold VPN connection permanently" is not enabled, the VPN connection is automatically established when the remote network is accessed and it is cleared again if it has been inactive for one hour.

Note:Active VPN connections are displayed in the FRITZ!Box user interface under "Overview" in the section "Connections".