So, I have an EdgeRouter Lite in Singapore (Starhub) and a FritzBox in Belgium (EDPnet).
This is mostly stuff that I have found from several articles, mostly from here.
ERL: eth0 is WAN, eth1 (10.60.111.0/24) and eth2 (unused, not VPN’ed) are LAN
FritzBoz: 192.168.1.0/24
This is the FritzBox config (go to VPN and them Import a config) fritzvpn.cfg
:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "VPN Yeri";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "erl.yeri.be";
localid {
fqdn = "fritz.yeri.be";
}
remoteid {
fqdn = "erl.yeri.be";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "SOMEPASSWORD";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.60.111.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 10.60.111.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Be sure to modify the password, local (Fritz) and remote (ERL) LAN and edit the local and remote fqdn.
This is the ERL config (via ssh, you’ll need to set
this:
[email protected]# show vpn ipsec
auto-update 60
auto-firewall-nat-exclude enable
esp-group FOO0 {
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
dead-peer-detection {
action restart
interval 60
timeout 60
}
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer fritz.yeri.be {
authentication {
mode pre-shared-secret
pre-shared-secret SOMEPASSWORD
}
connection-type initiate
description "VPN to fritz.yeri.be"
ike-group FOO0
local-address erl.yeri.be
tunnel 1 {
esp-group FOO0
local {
prefix 10.60.111.0/24
}
remote {
prefix 192.168.1.0/24
}
}
}
}
Status:
[email protected]:~$ show vpn ipsec status
IPSec Process Running PID: 20140
1 Active IPsec Tunnels
IPsec Interfaces :
eth0 (no IP on interface statically configured as local-address for any VPN peer)
[email protected]:~$ show vpn ipsec sa
peer-be.yeri.be-tunnel-1: #9, ESTABLISHED, IKEv1, 85a2d010ada73113:ca439c40ac3bca06
local 'erl.yeri.be' @ 116.87.x.y
remote 'fritz.yeri.be' @ 109.236.x.y
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 1592s ago, reauth in 1333s
peer-fritz.yeri.be-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
installed 1592 ago, rekeying in 1200s, expires in 2009s
in c0bb652e, 1038032 bytes, 10726 packets, 0s ago
out 8d5df3f5, 532685 bytes, 6062 packets, 0s ago
local 10.60.111.0/24
remote 192.168.1.0/24
I haven’t really figured out what no IP on interface statically configured as local-address for any VPN peer
means yet though.
Next up: VLANs