Edgerouter IPsec tunnel to Fritzbox

So, I have an EdgeRouter Lite in Singapore (Starhub) and a FritzBox in Belgium (EDPnet).

This is mostly stuff that I have found from several articles, mostly from here.

ERL: eth0 is WAN, eth1 (10.60.111.0/24) and eth2 (unused, not VPN’ed) are LAN
FritzBoz: 192.168.1.0/24

This is the FritzBox config (go to VPN and them Import a config) fritzvpn.cfg:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "VPN Yeri";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "erl.yeri.be";
                localid {
                        fqdn = "fritz.yeri.be";
                }
                remoteid {
                        fqdn = "erl.yeri.be";
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "SOMEPASSWORD";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.1.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.60.111.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 10.60.111.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

Be sure to modify the password, local (Fritz) and remote (ERL) LAN and edit the local and remote fqdn.

This is the ERL config (via ssh, you’ll need to set this:

yeri@sg-erl# show vpn ipsec 
 auto-update 60
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 ike-group FOO0 {
     dead-peer-detection {
         action restart
         interval 60
         timeout 60
     }
     lifetime 3600
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface eth0
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer fritz.yeri.be {
         authentication {
             mode pre-shared-secret
             pre-shared-secret SOMEPASSWORD
         }
         connection-type initiate
         description "VPN to fritz.yeri.be"
         ike-group FOO0
         local-address erl.yeri.be
         tunnel 1 {
             esp-group FOO0
             local {
                 prefix 10.60.111.0/24
             }
             remote {
                 prefix 192.168.1.0/24
             }
         }
     }
 }

Status:

yeri@sg:~$ show vpn ipsec status
IPSec Process Running PID: 20140

1 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (no IP on interface statically configured as local-address for any VPN peer)
yeri@sg:~$ show vpn ipsec sa
peer-be.yeri.be-tunnel-1: #9, ESTABLISHED, IKEv1, 85a2d010ada73113:ca439c40ac3bca06
  local  'erl.yeri.be' @ 116.87.x.y
  remote 'fritz.yeri.be' @ 109.236.x.y
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1592s ago, reauth in 1333s
  peer-fritz.yeri.be-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1592 ago, rekeying in 1200s, expires in 2009s
    in  c0bb652e, 1038032 bytes, 10726 packets,     0s ago
    out 8d5df3f5, 532685 bytes,  6062 packets,     0s ago
    local  10.60.111.0/24
    remote 192.168.1.0/24

I haven’t really figured out what no IP on interface statically configured as local-address for any VPN peer means yet though.

Next up: VLANs

EVA and WiFi

So I am flying EVA from SIN – TPE – JFK and back. For the first time I also went to the dark side (16hrs was too long to be locked up with just my mind) and got onboard WiFi.

This seems to come with unlimited data for ~20USD for 24hrs. I manage to stream Google Music just fine.

I totally went Matrix mode during the flight. While the flight is half empty I am wondering if they think I am haxoring it now.

EVA uses T-Mobile Germany as carrier.

Public IP routes to a German IP (and Google redirects to Google.de).

nazgul ~ $ curl canhazip.com
88.128.80.215

Whois info:

[…]

inetnum: 88.128.80.0 - 88.128.95.255
netname: ca-de
descr: Telekom Deutschland GmbH
country: DE
admin-c: TH12429-RIPE
tech-c: AS8728-RIPE
tech-c: MS47198-RIPE
remarks: ***************************************************************************
remarks: Please send any abuse complaints to: abuse@telekom.de
remarks: Behoerdenauskuenfte koennen nur ueber folgende Ruf- bzw. Faxnummern beantwortet werden:
remarks: Fax: 0180-18812-66 (0,039 Euro/Minute aus dem Festnetz der Deutschen Telekom AG.)
remarks: Tel.: 0180-18812-77 (0,039 Euro/Minute aus dem Festnetz der Deutschen Telekom AG.)
remarks: ***************************************************************************
status: ASSIGNED PA
mnt-by: MNT-TMD
created: 2008-05-06T07:54:12Z
last-modified: 2012-07-30T08:54:39Z
source: RIPE

Trace routes are quite odd:

nazgul ~ $ traceroute yeri.be
traceroute to yeri.be (83.149.69.152), 64 hops max, 52 byte packets
1 ns.evawifi.com (172.19.248.1) 3.429 ms 2.746 ms 2.921 ms
2 10.207.1.1 (10.207.1.1) 2.998 ms 2.535 ms 2.455 ms
3 172.18.15.41 (172.18.15.41) 553.837 ms 536.711 ms 541.207 ms
4 172.18.14.34 (172.18.14.34) 615.658 ms 534.722 ms 536.465 ms
5 * * *
6 yeri.be (83.149.69.152) 728.306 ms 749.172 ms 738.020 ms
7 yeri.be (83.149.69.152) 743.171 ms 735.898 ms 858.885 ms
8 yeri.be (83.149.69.152) 731.611 ms 764.056 ms 734.694 ms
9 yeri.be (83.149.69.152) 745.765 ms 745.182 ms 729.407 ms
10 yeri.be (83.149.69.152) 745.248 ms 1002.078 ms 750.183 ms
11 yeri.be (83.149.69.152) 901.702 ms 758.616 ms 898.359 ms
12 yeri.be (83.149.69.152) 750.162 ms 779.888 ms 863.083 ms
13 yeri.be (83.149.69.152) 777.654 ms 777.442 ms 750.133 ms
14 yeri.be (83.149.69.152) 745.435 ms 783.786 ms 942.607 ms
15 yeri.be (83.149.69.152) 926.653 ms 939.882 ms 830.519 ms
16 yeri.be (83.149.69.152) 1239.295 ms 754.112 ms 753.986 ms
nazgul ~ $ traceroute google.com
traceroute to google.com (172.217.17.46), 64 hops max, 52 byte packets
1 ns.evawifi.com (172.19.248.1) 1.716 ms 1.200 ms 2.627 ms
2 10.207.1.1 (10.207.1.1) 2.155 ms 1.932 ms 2.165 ms
3 172.18.15.41 (172.18.15.41) 583.366 ms 588.440 ms 730.303 ms
4 172.18.14.34 (172.18.14.34) 552.347 ms 963.682 ms 550.350 ms
5 172.30.1.34 (172.30.1.34) 841.324 ms * 637.136 ms
6 ams16s29-in-f46.1e100.net (172.217.17.46) 752.359 ms 744.614 ms 819.851 ms
7 ams16s29-in-f46.1e100.net (172.217.17.46) 735.554 ms 737.249 ms 785.678 ms
8 ams16s29-in-f46.1e100.net (172.217.17.46) 766.046 ms 738.774 ms 750.276 ms
9 ams16s29-in-f46.1e100.net (172.217.17.46) 817.491 ms 736.133 ms 765.344 ms
10 ams16s29-in-f46.1e100.net (172.217.17.46) 1047.754 ms 754.939 ms *
11 * ams16s29-in-f46.1e100.net (172.217.17.46) 761.013 ms 762.848 ms
12 * ams16s29-in-f46.1e100.net (172.217.17.46) 840.602 ms 750.186 ms
13 ams16s29-in-f46.1e100.net (172.217.17.46) 935.149 ms 808.133 ms 745.638 ms
14 ams16s29-in-f46.1e100.net (172.217.17.46) 736.075 ms 881.481 ms 788.661 ms
15 * * *
16 ams16s29-in-f46.1e100.net (172.217.17.46) 876.269 ms 1195.194 ms 754.661 ms
17 ams16s29-in-f46.1e100.net (172.217.17.46) 749.985 ms 850.065 ms 742.763 ms
18 ams16s29-in-f46.1e100.net (172.217.17.46) 737.418 ms 1079.194 ms 751.415 ms
19 ams16s29-in-f46.1e100.net (172.217.17.46) 765.339 ms 763.116 ms 754.928 ms
20 ams16s29-in-f46.1e100.net (172.217.17.46) 765.059 ms 767.733 ms 762.777 ms
21 ams16s29-in-f46.1e100.net (172.217.17.46) 860.458 ms 780.965 ms 757.507 ms
22 ams16s29-in-f46.1e100.net (172.217.17.46) 768.432 ms 747.930 ms 764.553 ms
23 ams16s29-in-f46.1e100.net (172.217.17.46) 758.869 ms 747.489 ms 751.329 ms
24 ams16s29-in-f46.1e100.net (172.217.17.46) 797.699 ms 818.899 ms *
nazgul ~ $ traceroute t-mobile.de
traceroute to t-mobile.de (46.29.100.15), 64 hops max, 52 byte packets
1 ns.evawifi.com (172.19.248.1) 1.978 ms 1.080 ms 1.071 ms
2 10.207.1.1 (10.207.1.1) 4.575 ms 1.885 ms 1.847 ms
3 172.18.15.41 (172.18.15.41) 540.670 ms 739.430 ms 787.836 ms
4 172.18.14.34 (172.18.14.34) 646.621 ms 775.771 ms 562.301 ms
5 * 172.30.1.34 (172.30.1.34) 630.660 ms *
6 46.29.100.15 (46.29.100.15) 1014.377 ms 813.739 ms 755.431 ms
7 46.29.100.15 (46.29.100.15) 766.290 ms 805.572 ms 735.697 ms
8 46.29.100.15 (46.29.100.15) 806.918 ms 792.377 ms 945.535 ms
9 46.29.100.15 (46.29.100.15) 783.751 ms 736.085 ms 781.832 ms
10 46.29.100.15 (46.29.100.15) 817.682 ms 738.980 ms 1031.463 ms
11 46.29.100.15 (46.29.100.15) 872.993 ms 767.682 ms 807.777 ms
12 46.29.100.15 (46.29.100.15) 986.659 ms 804.279 ms 806.750 ms
13 46.29.100.15 (46.29.100.15) 846.340 ms 767.556 ms 939.215 ms
14 46.29.100.15 (46.29.100.15) 737.330 ms 759.259 ms 786.724 ms
15 * * *
16 * * *

Not very sure what’s witchery is going on here though.

Arp shows AP isolation and two different servers running for the WiFi:

nazgul ~ $ arp -a
ns.evawifi.com (172.19.248.1) at 0:d:2e:0:40:1 on en0 ifscope [ethernet]
www.evawifi.com (172.19.248.2) at 0:d:2e:0:0:a8 on en0 ifscope [ethernet]
? (172.19.249.255) at (incomplete) on en0 ifscope [ethernet]
? (224.0.0.251) at 1:0:5e:0:0:fb on en0 ifscope permanent [ethernet]
? (239.192.0.0) at 1:0:5e:40:0:0 on en0 ifscope permanent [ethernet]
? (239.255.255.250) at 1:0:5e:7f:ff:fa on en0 ifscope permanent [ethernet]

There seems to be a transparant Squid/3.4.6 caching proxy running:

More random things can be found here.

Yard Sale – Free pick up

Free pick up in Grimbergen, Diegem or Brussels North.

Email: yeri+sale@tiete.be

Everything has been stored for a while in my garage and is untested.

Dual P3 1u server

IMG_20160716_110703  IMG_20160716_110708  IMG_20160716_110720

  • 1u dual Pentium 3 1Ghz server
  • 2x 72.8Gb 10k rpm SCSI (one probably died)
  • 1280Mb RAM
  • Served for years as mail & web server in Amsterdam datacenter, got it myself 2nd hand where it served in a Belgian datacenter (IIRC)
  • 2dehands

Intel Pentium D desktop server

IMG_20160716_110005  IMG_20160716_110011  IMG_20160716_110153

  • Pentium D CPU (32bit), don’t remember any more specs
  • Seems to have 4Gb of RAM (untested)
  • 2x 160Gb SATA disk
  • 2dehands

AMD64 Athlon desktop

IMG_20160716_110055

  • No disks
  • Seems to have 1GB of RAM (untested)
  • Athlon64 something. You know. One of those first 64 bit CPUs when AMD was still awesome. 🙂
  • 2dehands

APC Smart UPS

IMG_20160716_110640  IMG_20160716_110646

  • 4u rack mounted UPS
  • “SmartUPS 1000”
  • With the right cables (not provided) I believe there was a managed console/interface
  • Comes with batteries but I’m 99% sure the batteries are dead by now
  • it’s freaking heavy
  • Awesome UPS that proved its use back in the days
  • 2dehands

Postfix & Courier & Letsencrypt

First of all, create your certificates (the regular way). I created one with multiple domains: webmail.rootspirit.com, mail.rootspirit.com, smtp.rootspirit.com.

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit main.cf and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel=1
smtp_tls_loglevel=1

And restart postfix: /etc/init.d/postfix restart

As for Courier you’ll need to concatenate the files (again, check the path, it’s most likely /etc/letsencrypt/live/domain/xyz.pem):

cat /etc/ssl/letsencrypt/webmail.privkey.pem /etc/ssl/letsencrypt/webmail.fullchain.pem > /etc/ssl/letsencrypt/webmail.all.pem

Then edit both /etc/courier/pop3d-ssl and /etc/courier/imapd-ssl

And add/change the path of the certificate:

TLS_CERTFILE=/etc/ssl/letsencrypt/webmail.all.pem

And restart Courier: /etc/init.d/courier-imap-ssl restart && /etc/init.d/courier-pop-ssl restart