Edgerouter IPsec tunnel to Fritzbox

So, I have an EdgeRouter Lite in Singapore (Starhub) and a FritzBox in Belgium (EDPnet).

This is mostly stuff that I have found from several articles, mostly from here.

ERL: eth0 is WAN, eth1 ( and eth2 (unused, not VPN’ed) are LAN

This is the FritzBox config (go to VPN and them Import a config) fritzvpn.cfg:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "VPN Yeri";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip =;
                local_virtualip =;
                remoteip =;
                remote_virtualip =;
                remotehostname = "erl.yeri.be";
                localid {
                        fqdn = "fritz.yeri.be";
                remoteid {
                        fqdn = "erl.yeri.be";
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "SOMEPASSWORD";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr =;
                                mask =;
                phase2remoteid {
                        ipnet {
                                ipaddr =;
                                mask =;
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any";
        ike_forward_rules = "udp", 

Be sure to modify the password, local (Fritz) and remote (ERL) LAN and edit the local and remote fqdn.

This is the ERL config (via ssh, you’ll need to set this:

yeri@sg-erl# show vpn ipsec 
 auto-update 60
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     proposal 1 {
         encryption aes256
         hash sha1
 ike-group FOO0 {
     dead-peer-detection {
         action restart
         interval 60
         timeout 60
     lifetime 3600
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
 ipsec-interfaces {
     interface eth0
 nat-networks {
     allowed-network {
 nat-traversal enable
 site-to-site {
     peer fritz.yeri.be {
         authentication {
             mode pre-shared-secret
             pre-shared-secret SOMEPASSWORD
         connection-type initiate
         description "VPN to fritz.yeri.be"
         ike-group FOO0
         local-address erl.yeri.be
         tunnel 1 {
             esp-group FOO0
             local {
             remote {


yeri@sg:~$ show vpn ipsec status
IPSec Process Running PID: 20140

1 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (no IP on interface statically configured as local-address for any VPN peer)
yeri@sg:~$ show vpn ipsec sa
peer-be.yeri.be-tunnel-1: #9, ESTABLISHED, IKEv1, 85a2d010ada73113:ca439c40ac3bca06
  local  'erl.yeri.be' @ 116.87.x.y
  remote 'fritz.yeri.be' @ 109.236.x.y
  established 1592s ago, reauth in 1333s
  peer-fritz.yeri.be-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1592 ago, rekeying in 1200s, expires in 2009s
    in  c0bb652e, 1038032 bytes, 10726 packets,     0s ago
    out 8d5df3f5, 532685 bytes,  6062 packets,     0s ago

I haven’t really figured out what no IP on interface statically configured as local-address for any VPN peer means yet though.

Next up: VLANs

Singapore expat part 3: unified payment system across transport

Just like Hong Kong (Octopus), Seoul (T-Money) and London (Oyster), Singapore has a public transport card (Ez-Link). Like HK and Seoul, you can use this card for small payments in 7/11 alike shops.

This payment card works on all transport modes. Bus. MRT (metro). No matter who operates it.

Sadly it doesn’t work on taxis though.

Nonetheless. With a bunch of different players (SMRT, SBS, any other? But the same is true for London — and they have more players on the market) they have one simple unified payment system (and prices are the same no matter who is operating).

Why is this not possible in Belgium? Don’t get me started on MOBIB.  “In order to travel validly on the networks of the various operators, you will need to store a valid transport tickets on your MOBIB card for each of the mobility operators you intend to travel with.” That’s a joke.