To the knowledge base
Dokument informacyjny #342

IP communication over a VPN connection (LAN-LAN) is not possible

Although the VPN connection between two FRITZ!Boxes (LAN-LAN linkup) is established, computers and other devices in the network of one of the FRITZ!Boxes cannot access devices, shared files and printers or other services in the network of the other FRITZ!Box. Devices in the remote network do not respond to pings.

Simply proceed as described below. After each measure, check whether the problem is solved.

1 Deleting static IP routes

If static IP routes are set up in the FRITZ!Boxes that point to the IP network of the other FRITZ!Box, reliable VPN communication is not possible.

Delete such static IP routes in both of the FRITZ!Boxes:

  1. Click "Home Network" in the FRITZ!Box user interface.
  2. Click "Network" in the "Home Network" menu.
  3. Click on the "Network Settings" tab.
  4. Click "Additional Settings" in the section "WAN setting" or "LAN Settings" to display all of the settings.
  5. Click the "IPv4 Routes" button.
  6. In the table, disable or delete all entries where the IP network of the remote FRITZ!Box is entered in the "Network" column.

    Example:
    The remote FRITZ!Box uses the IP address 192.168.10.1 with the subnet mask 255.255.255.0. This means that no static route may be active for the IP network 192.168.10.0.

  7. Click "Apply" to save the settings.

2 Restarting the FRITZ!Box

You may be temporarily unable to correctly establish the VPN connection due to an error in the FRITZ!Box or its internet connection. Therefore, restart the FRITZ!Box so that it reinitializes the firewall and re-establishes the internet connection:

  1. Click "System" in the FRITZ!Box user interface.
  2. Click "Backup" in the "System" menu.
  3. Click on the "Restart" tab.
  4. Click the "Restart" button.

3 Configuring the device to automatically obtain IP settings

To ensure that the device always uses the correct IP settings, make sure that it automatically obtains its IP settings from the FRITZ!Box (this is the default setting for most devices):

4 Adapting the IP networks

VPN communication cannot occur if both FRITZ!Boxes use the same IP network or the IP network 192.168.100.0, which is reserved for the cable provider in compliance with DOCSIS, is used in a FRITZ!Box. Therefore, adjust the IP settings of the FRITZ!Boxes:

Adjusting the FRITZ!Box's IP network

Changing the FRITZ!Box's IP network
  1. Click "Home Network" in the FRITZ!Box user interface.
  2. Click on "Network" in the "Home Network" menu.
  3. Click on the "Network Settings" tab.
  4. Click "Additional Settings" in the section "LAN Settings" to display all of the settings.
  5. Click the "IPv4 Settings" button.
  6. Enter the desired IP address and subnet mask.

    Important:Do not enter an IP address from the network 192.168.100.x. In compliance with DOCSIS, this network is reserved for the cable provider and may not be used in the FRITZ!Box.

  7. Click "Apply" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so.

Adjusting the VPN settings

  1. Click "Internet" in the FRITZ!Box user interface.
  2. Click "Permit Access" in the "Internet" menu.
  3. Click the "VPN (IPSec)" tab.
  4. Click the (Edit) button for the respective VPN connection.
  5. Enter the IP network of the remote FRITZ!Box in the "Remote Network" and "Subnet mask" fields, for example 192.168.20.0 and 255.255.255.0.
  6. Enter the password required to establish the VPN connection in the field "VPN password (pre-shared key)".
  7. Click "OK" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so.

5 Configuring the device's firewall

  1. If a firewall is installed on the device, configure it so that it does not block communication with the IP network of the remote FRITZ!Box (for example 192.168.20.0). Refer to the manufacturer of the firewall for information on how to set it up, for example consult the manual.

6 Deleting a VPN connection and reconfiguring it

If the IP address of the remote FRITZ!Box (xxx.xxx.xxx.1) was entered as the "destination network" when setting up the VPN connection instead of its IP network (xxx.xxx.xxx.0), you can only access the remote FRITZ!Box itself over the VPN connection.

Example:
A FRITZ!Box has the IP address 192.168.10.1 with the subnet mask 255.255.255.0. This means that the IP network of this FRITZ!Box is 192.168.10.0.

To rule out that the IP settings or other VPN settings in one of the two FRITZ!Boxes are incorrect, reconfigure the VPN connection:

  1. Delete the VPN connection in the user interface of both of the FRITZ!Boxes.
  2. Set up the VPN connection between the two FRITZ!Boxes again.