Fritz Box VPN mit Cisco und IKE-Fehler

Hier zeige ich wie man eine Fritz Box mit einen Cisco-VPN verbinden kann. Damit könnte man grds. wohl auch VoIP über VPN bewerkstelligen.

Ich habe folgende Grundkonfiguration für Cisco-VPN genutzt, einfach anpassen und in die Fritz Box importieren:

vpncfg {
        connections {
                enabled = yes;
                editable = no; // darf nicht an sein, zerschießt sonst die Einstellungen
                conn_type = conntype_lan;
                name = "";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes; // muss immer aktiv sein
                localip =;
                local_virtualip =;
                remoteip = ...;
                remote_virtualip =;
                localid {
                        key_id = "gruppenname";
                mode = phase1_mode_aggressive;
                phase1ss = "alt/all/all";
                keytype = connkeytype_pre_shared;
                key = "gruppenschlüssel";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = yes;
                xauth {
                        valid = yes;
                        username = "";
                        passwd = "";
                use_cfgmode = yes; // automatische Einrichtung des remote network
                phase2localid {
                        ipnet {
                                ipaddr =; // Netz der Fritz Box
                                mask =;
                phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                accesslist =
                             "permit ip any", // remote network
                             "permit ip any host"; // einzelner host
        ike_forward_rules = "udp",

​​AVM hat eine Liste der Bedeutung der diversen IKE-Fehler, aber sie schreiben leider nicht, was man zur Behebung anpassen muss. Ich versuche das stellenweise zu ergänzen. Grundlageninformationen finden sich auch hier:
Typische Fehler

IKE-Error 0x2020 "hash mismatch in received packet"

Hier gibt es einen Fehler bei den Gewählten Algorithmen (vgl. "Tests") wohl in Phase 1 oder das Passwort stimmt nicht. Bei mir hat diese Anpassung geholfen:

phase1ss = "alt/all/all";
​​Probieren kann man diese:

Angeblich kann auch teilweise die MTU schuld sein an diesem Fehler. Sie lässt sich bei der Fritz Box allerdings nicht anpassen. Es kann wohl auch an einem falschen key oder der falschen key_id liegen.

IKE-Error 0x2026 "no proposal chosen"

Hier handelt es sich wohl um Fehler in Phase 2

Es stehen u.a. folgende Alternativen zur Verfügung:


Noch ein paar Notizen

Samsung Scanner in Your Network Despite Firewall With Manual Setup

​To manually detect a Samsung network scanner with sane, you can try this method:

echo 'tcp scx' | sudo tee -a /etc/sane.d/xerox_mfp.conf

Replace "scx" with ​the IP address or resolvable hostname of your scanner. Try to ping the host, e.g. "ping scx" before you enter it here.

This assumes using the drivers from For some services, you may have to restart the service or your computer. It fixed using the scanner with an active firewall for me.

Diverse Probleme mit der Fritz Box bei fehlerhaften VPN-Einstellungen

Wenn man die VPN-Funktion der Fritz Box nutzt, sollte man regelmäßig prüfen, ob alle ausgehenden Verbindungen funktionieren.

Denn nicht funktionierende ausgehende VPN-Verbindungen (z.B. Kopplung zwischen zwei Fritz Boxen) können zu diversen Problemen führen, u.a. schlechte Sprachqualität beim VoIP, Paketverluste und langsameres Internet. Wenn man eine aktive VPN-Verbindung hat, die die Default Route setzt (z. B. automatisch via use_cfgmode = no;), kann sogar das Internet insgesamt unterbrochen werden.

Die Lösung ist einfach: Den Haken links neben der VPN-Verbindung abwählen und die Einstellungen übernehmen.

[Fix] Getting the MSI PE60 6QE (Skylake) to run Linux

After lots of experimentation, it turned out that the best boot parameter so far (Ubuntu 16.10 alpha July 2016) is:


Otherwise (e.g. with acpi=noirq), there is a crash trying to load the nvidia card and an issue with ACPI trying to load _DSM. If you want to disable the nivida card completely, for 6W or more of power savings, use nouveau.modeset=0. This might need to be in addition to pci=noacpi.

This might work for lots of other notebooks, especially with Nvidia graphics and a Skylake CPU, e.g. the MSI GE62 6QF series.

Prioritizing System Services with Systemd - Run a Process Permanently in the Background

If you simply want to adjust some priorities, here is how to do it in three steps.
  1. sudo systemctl edit [service]
  2. sudo systemctl daemon-reload
  3. sudo systemctl restart [service]

Removing all images with rkt

Note this will remove all images, not just stale ones. Set rkt to point to your rkt binary.

images="$(sudo $rkt image list | awk 'NR>1 {print $1}')"
set -x
sudo $rkt gc --grace-period=1s
sleep 1
sudo $rkt gc --grace-period=1s
sudo $rkt image list
sudo $rkt image rm $images

Forward Wake on LAN packages bewteen networks with socat

If you have two networks and you want to wake a machine in another from network it can be tricky because you can't always set the destination IP address or network. An easy fix is to use socat to forward the UDP wakeonlan packages to the other network or IP:

sudo socat -v UDP4-RECVFROM:9,fork UDP4-SENDTO:

You can leave out the -v for less verbosity. The target network is, you can replace this with a specific IP, which helps with routers not forwarding broadcasts. Usually UDP port 9 is used, but you may change this to port 7 for your setup. You will need to be root because port 9 is generally privileged.

Fscking Precautions: Snapshots and the undo file

If you have a badly corrupted filesystem, e.g. because you had back blocks on the hard drive, you have want to take some precautions to make sure fsck doesn't destroy your files. This goes especially for large raids.

Something you can always do is test the fsck operation on a dmsetup snapshot. For this to work you must boot from a different partition and it must have a sparse file enabled filesystem.

# The path to your snapshot storage file.

Terabytes should be enough for your partition, otherwise increase this number
truncate -s
000G $COW 
#setup a loop for dmsetup snapshots to the COW file.
loop="$(losetup -f)"
losetup $loop $COW
#setup the snapshot device
echo 0 `blockdev --getsz $INPUT` snapshot $INPUT $loop p 8 | dmsetup create top
# let you know where the snapshot device is.
echo loop: $loop top: /dev/mapper/top
dmsetup status

After this you should be able to fsck /dev/mapper/top. You can see how much space the COW file actually occupies with du -h $COW. You may also want to get the newest fsck version (e.g. with a newer fsck-static package). If you end up with many multiply-claimed blocks, this e2fsck version may help: (checkout a -wc branch).

Good luck, you might need it!

Linux Raid: ignoring /dev/sdX as it reports /dev/sdY as failed

The fix for this problem may be extremely easy. What happened is that some disks of the raid failed. They were ejected. This happens. But the raid won't be assembled anymore if the failed disks are first on the mdadm assemble command line. Because for some reason, mdadm does not check what most disks say, but what the first disks say. So if you have a raid with 10 disks and the first two on the command line are failed, it will reject the remaining 8, because the are not compatible. All you need to do now is to list those two failed disks at the end with --force to activate the raid again:

Instead of 
mdadm /dev/md1 --assemble /dev/sdX,Y /dev/sd[a-f]
mdadm /dev/md1 --assemble /dev/sd[a-f] /dev/sdX,Y

Note that there's probably still a good reason for those disks to have been marked as failed...

Windows 7 Detects only Some of the CPUs added in KVM [Fix]

If Windows XP, Windows 7, maybe even Windows 8 or later don't detect all your CPUs in KVM, you may need to change the settings. Windows often doesn't like if you have too many cpu sockets. Try a configuration with 1 or 2 sockets and several cores.

How to Dynamically Switch Between Uniprocessor and SMP during Windows XP boot

If you're running Windows XP inside a Virtual Machine such as VirtualBox, Vmware or KVM, you may want to sometimes boot with only one active CPU, other times with several CPUs. If you don't set up windows correctly, it will neither boot normally, nor in safe mode (where it will stop with a blank screen and a blinking cursor).

But you can edit your boot.ini to look like this in order to dynamically switch between one and several processors in Windows XP:
[boot loader]
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Pro" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Pro one processor" /noexecute=optin /fastdetect /kernel=ntoskrnl.exe /HAL=Halaacpi.dll
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Pro SMP" /noexecute=optin /fastdetect /kernel=ntkrnlmp.exe /hal=halmacpi.dll

The Ultimate Setup Guide for ownCloud on Small Systems such as the Raspberry Pi

It took me about a year to collect this information. There are many guides, but all I found are incomplete. Here's the one guide to rule them all - hopefully. The guide works on Ubuntu and Debian without changes. It's optimized for resources, speed, security and ease of use. While this runs well on my old phone (ARMv7; 512 MB; ~1000 BogoMIPS), it should run even better on a Raspberry Pi.

Accessing Public ownCloud shares via WebDAV

Since ownCloud supports server to server sharing you can access public shares via webdav clients. You simply use the access token (t=...) as user name. If there is a password, use that as password, otherwise leave it blank. As URL you use the owncloud address with /public.php/webdav at the end:

-> webdavs://

Speeding up your ownCloud on small systems such as the Raspberry Pi with Sqlite

I had seriously considered to use a raspberry pi system for setting up my ownCloud server. But the old pi had pretty much the same capabilities as my old mobile phone with cyanogen. And the phone has Wifi and some flash space already included. So I opted for the phone. As with most pi installations, the performance was not great. But I found some easy tweaks I haven't seen anywhere else to significantly improve the performance. I'm assuming you're already using the usual tweaks such as opcache(this will usually help more than the following tweaks!) and using cron.php. Please backup your owncloud.db before you start! You will need the sqlite3 tool (sudo apt-get install sqlite3).

Two ways to download your pictures from Picasaweb with Linux

There is a nerdy and a simple way. The simple way is to use the google data export ("takeout") pages. You select your photos, create an archive and download it. You may have to upgrade from Picasaweb to Google+ in order for this to work properly.

The nerdy way is via googlecl. Unfortunately this option does not currently work properly due to googlecl still using oauth version 1. But once that's fixed - or if you're still signed into googecl - you can use these two commands:

google picasa list-albums > albums.txt
parallel -a "albums.txt" -j 3 --eta google picasa get "{,}" .

Beware of weird folder names including / or other special symbols. Now you can e.g. move your pictures to your ownCloud server. No picasa needed.

How to change the volume with an active lock screen in android lollipop

This works at least from my Samsung galaxy S4: you press the power button for a few seconds until you see the pop-up to turn off the device, or to go into offline mode. Now you can use the volume buttons to change the ring tone volume.

Fixing Netflix Error Code: M7361-1254 on a Linux System

If you get this error code there is an issue with the sound output. If you use pulse, kill the pulseaudio process. Then close the browser, open it again.

Otherwise remove the kernel driver module for your sound card and insert it again. Then close and open the browser.

How to Fix a common VirtualBox Segfault

If you have a segmentation fault during the start of a VirtualBox machine, you are likely using an old, incompatible version of the VirtualBox Extensions. Simply update or uninstall them and things should work again.

An example from the dmesg kernel log:
EMT-1 [7265]: segfault at 618 ip 00007f0eaacbef31 sp 00007f0ed2afbc70 error 4 in [7f0eaac00000+26f000].

Checking S.M.A.R.T. status for USB drive

Usually smartctl -a works out of the box. But sometimes it doesn't. In that case, try using the option -d sat, e.g. smartctl -d sat -a /dev/sdb. That may solve if a modern external USB drive reports that SMART support is "unavailable" and that the "device lacks SMART capability". Because that a drive actually lacks the capability is extremely unlikely these days. If that doesn't work, you can try -d auto or consult an extensive list of options of different devices.

Recording with tape-a-talk to external sd card in KitKat

You can enter a manual storage path. It must be setup like the following path. This path can be adjusted to work with other apps and different devices:


If you use the wrong path the app won't be able to write anything. This path works on most Samsung devices.