Edgerouter IPsec tunnel to Fritzbox

So, I have an EdgeRouter Lite in Singapore (Starhub) and a FritzBox in Belgium (EDPnet).

This is mostly stuff that I have found from several articles, mostly from here.

ERL: eth0 is WAN, eth1 (10.60.111.0/24) and eth2 (unused, not VPN’ed) are LAN
FritzBoz: 192.168.1.0/24

This is the FritzBox config (go to VPN and them Import a config) fritzvpn.cfg:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "VPN Yeri";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "erl.yeri.be";
                localid {
                        fqdn = "fritz.yeri.be";
                }
                remoteid {
                        fqdn = "erl.yeri.be";
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "SOMEPASSWORD";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.1.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.60.111.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 10.60.111.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

Be sure to modify the password, local (Fritz) and remote (ERL) LAN and edit the local and remote fqdn.

This is the ERL config (via ssh, you’ll need to set this:

yeri@sg-erl# show vpn ipsec 
 auto-update 60
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 ike-group FOO0 {
     dead-peer-detection {
         action restart
         interval 60
         timeout 60
     }
     lifetime 3600
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface eth0
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer fritz.yeri.be {
         authentication {
             mode pre-shared-secret
             pre-shared-secret SOMEPASSWORD
         }
         connection-type initiate
         description "VPN to fritz.yeri.be"
         ike-group FOO0
         local-address erl.yeri.be
         tunnel 1 {
             esp-group FOO0
             local {
                 prefix 10.60.111.0/24
             }
             remote {
                 prefix 192.168.1.0/24
             }
         }
     }
 }

Status:

yeri@sg:~$ show vpn ipsec status
IPSec Process Running PID: 20140

1 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (no IP on interface statically configured as local-address for any VPN peer)
yeri@sg:~$ show vpn ipsec sa
peer-be.yeri.be-tunnel-1: #9, ESTABLISHED, IKEv1, 85a2d010ada73113:ca439c40ac3bca06
  local  'erl.yeri.be' @ 116.87.x.y
  remote 'fritz.yeri.be' @ 109.236.x.y
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1592s ago, reauth in 1333s
  peer-fritz.yeri.be-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1592 ago, rekeying in 1200s, expires in 2009s
    in  c0bb652e, 1038032 bytes, 10726 packets,     0s ago
    out 8d5df3f5, 532685 bytes,  6062 packets,     0s ago
    local  10.60.111.0/24
    remote 192.168.1.0/24

I haven’t really figured out what no IP on interface statically configured as local-address for any VPN peer means yet though.

Next up: VLANs

Yard Sale: Macbook Pro late 2013

For sale due to getting a portable Macbook:

  • Late 2013 Macbook Pro (15.4″ Retina)
  • 2.3Ghz i7 (quad core + Hyper-Threading)
  • 16Gb RAM
  • 512Gb SSD
  • Intel Iris onboard GFX + Nvidia GeForce GT 750M PCE GFX
  • BE-Azerty keyboard
  • €2445,41 in 28 October 2013
  • SUPER fast
  • Minor scratch in the back of the LCD
  • Minor (not very noticeable) corrosion at the right hand
  • Weird scratch “smear” in LCD display (only visible on white background; about 2x2cm; to be honest it’s not really visible)
  • Besides this very decent Macbook Pro, it has been used, but in very good shape for the extreme work it has committed. Taken care of this device as if it was my own child. And did I mention blazing fast?

Contact: yeri+mbp@tiete.be

Specs:

Processor 2.3GHz Quad-core Intel Core i7
Memory 16GB 1600MHz DDR3L SDRAM
Flash Storage 512GB Flash Storage
Apple Thunderbolt to Enet Adpt Apple Thunderbolt to Enet Adpt Apple Thunderbolt to FW Adptr No FireWire Adapter
Mini DisplayPort to VGA Adptr No VGA Adapter
Keyboard and Documentation Keyboard/User’s Guide(Z)-BEL Country Kit Country Kit-INT

Pictures:

IMG_20160823_010509

It’s a Macbook Pro !

IMG_20160823_010523

“Smear” above “AGE” (really hard to see)

IMG_20160823_010531

Scratch at the back (knocked it against a glass door at night in my old apartment)

IMG_20160823_010450

Corrosion at the right hand (not left, don’t ask why — probably because I use the touch pad all the time).

More info:

Screen Shot 2016-08-23 at 00.50.51

Screen Shot 2016-08-23 at 00.50.54

Screen Shot 2016-08-23 at 00.52.35

Screen Shot 2016-08-23 at 00.54.11Screen Shot 2016-08-23 at 00.54.28

Yard Sale: Nexus 6

Nexus 6

  • Details
  • New device from end of September (used for one month; I’ve owned a N6 for a longer time, but due to a battery problem, Google swapped it for a brand new device; then I swapped to a Nexus 6P)
  • Midnight Blue edition
  • 64Gb
  • 4G and stuff (side note: reception & signal is a million times better than a Nexus 5)
  • You do of course receive the Moto TurboPower charger with it
  • Bought via Google Play store (comes with warranty, support, etc), original phone bought July 2015, so plenty of warranty left
  • No scratches or anything
  • Comes with Android 6
  • Selling because I own a Nexus 6P
  • Price: offer
  • 2dehands

Includes original packaging/boxes.

Email: yeri+sale@tiete.be

IMG_20160716_113744  IMG_20160716_113752