1 – Yeri Tiete https://yeri.be/tag/1/ Yeri Tiete's blog en © Yeri Tiete Wed, 08 Feb 2017 21:18:10 +0100 Edgerouter IPsec tunnel to Fritzbox https://yeri.be/edgerouter-fritzbox-ipsec/ Wed, 08 Feb 2017 21:18:10 +0100 Yeri Tiete https://yeri.be/edgerouter-fritzbox-ipsec/ <p>So, I have an EdgeRouter Lite in Singapore (Starhub) and a FritzBox in Belgium (EDPnet).</p> <p>This is mostly stuff that I have found from several articles, mostly from <a href="https://community.ubnt.com/t5/EdgeMAX/HOW-TO-IPSec-Site-to-Site-VPN-with-both-dynamic-IPs-between/m-p/1548055#U1548055" target="_blank" rel="noopener">here</a>.</p> <p>ERL: eth0 is WAN, eth1 (10.60.111.0/24) and eth2 (unused, not VPN&rsquo;ed) are LAN FritzBoz: 192.168.1.0/24</p> <p>This is the FritzBox config (go to VPN and them Import a config) <code>fritzvpn.cfg</code>:</p> <pre>vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = "VPN Yeri"; always_renew = yes; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 0.0.0.0; remotehostname = "erl.yeri.be"; localid { fqdn = "fritz.yeri.be"; } remoteid { fqdn = "erl.yeri.be"; } mode = phase1_mode_idp; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "SOMEPASSWORD"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.1.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 10.60.111.0; mask = 255.255.255.0; } } phase2ss = "esp-all-all/ah-none/comp-all/pfs"; accesslist = "permit ip any 10.60.111.0 255.255.255.0"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; }</pre> <p>Be sure to modify the password, local (Fritz) and remote (ERL) LAN and edit the local and remote fqdn.</p> So, I have an EdgeRouter Lite in Singapore (Starhub) and a FritzBox in Belgium (EDPnet).

This is mostly stuff that I have found from several articles, mostly from here.

ERL: eth0 is WAN, eth1 (10.60.111.0/24) and eth2 (unused, not VPN’ed) are LAN FritzBoz: 192.168.1.0/24

This is the FritzBox config (go to VPN and them Import a config) fritzvpn.cfg:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "VPN Yeri";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "erl.yeri.be";
                localid {
                        fqdn = "fritz.yeri.be";
                }
                remoteid {
                        fqdn = "erl.yeri.be";
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "SOMEPASSWORD";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.1.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.60.111.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 10.60.111.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

Be sure to modify the password, local (Fritz) and remote (ERL) LAN and edit the local and remote fqdn.

This is the ERL config (via ssh, you’ll need to set this:

yeri@sg-erl# show vpn ipsec 
 auto-update 60
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 ike-group FOO0 {
     dead-peer-detection {
         action restart
         interval 60
         timeout 60
     }
     lifetime 3600
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface eth0
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer fritz.yeri.be {
         authentication {
             mode pre-shared-secret
             pre-shared-secret SOMEPASSWORD
         }
         connection-type initiate
         description "VPN to fritz.yeri.be"
         ike-group FOO0
         local-address erl.yeri.be
         tunnel 1 {
             esp-group FOO0
             local {
                 prefix 10.60.111.0/24
             }
             remote {
                 prefix 192.168.1.0/24
             }
         }
     }
 }

Status:

yeri@sg:~$ show vpn ipsec status
IPSec Process Running PID: 20140

1 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (no IP on interface statically configured as local-address for any VPN peer)
yeri@sg:~$ show vpn ipsec sa
peer-be.yeri.be-tunnel-1: #9, ESTABLISHED, IKEv1, 85a2d010ada73113:ca439c40ac3bca06
  local  'erl.yeri.be' @ 116.87.x.y
  remote 'fritz.yeri.be' @ 109.236.x.y
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1592s ago, reauth in 1333s
  peer-fritz.yeri.be-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1592 ago, rekeying in 1200s, expires in 2009s
    in  c0bb652e, 1038032 bytes, 10726 packets,     0s ago
    out 8d5df3f5, 532685 bytes,  6062 packets,     0s ago
    local  10.60.111.0/24
    remote 192.168.1.0/24

I haven’t really figured out what no IP on interface statically configured as local-address for any VPN peer means yet though.

Next up: VLANs

]]> hardwarelinuxnetworking 19ubiquitivpn Belgian bank & SSL slashdot effect https://yeri.be/belgian-bank-ssl-slashdot-effect/ Sat, 28 Feb 2015 10:11:01 +0100 Yeri Tiete https://yeri.be/belgian-bank-ssl-slashdot-effect/ <p>Quick wrap up of the <a href="https://en.wikipedia.org/wiki/Slashdot_effect" target="_blank" rel="noopener noreferrer">slashdot effect</a> 10 days ago.</p> <p>A peak of 12k views on Monday 16/02, with a small&nbsp;buildup on Sunday (15/02).</p> <figure class="wp-block-image"><a href="https://static.yeri.be/2015/02/slashdot.png"><img src="https://static.yeri.be/2015/02/slashdot-1024x306.png" alt="slashdot" class="wp-image-7007"/></a></figure> <p class="has-text-align-center"></p> <p>The top pages were <a href="https://yeri.be/belgian-banks-ssl-part-3">Part 3</a>, <a href="https://yeri.be/belgian-banks-ssl">Part 1</a>, <a href="https://yeri.be/belgian-banks-ssl-part-4">Part 4</a> and <a href="https://yeri.be/belgian-banks-ssl-part-2">Part 2</a> respectively.</p> <p>De Redactie is the highest referrer, surpassing <a href="https://twitter.com/demorgen/status/567268960047874048" target="_blank" rel="noopener noreferrer">De Morgen</a> (first to publish in printed media, front page) &amp; <a href="http://datanews.knack.be/ict/ssl-beveiliging-van-de-belgische-banken-zo-lek-als-een-zeef/article-normal-533611.html" target="_blank" rel="noopener noreferrer">Datanews</a>&nbsp;(first to publish online):</p> <figure class="wp-block-image"><a href="https://static.yeri.be/2015/02/referrer.png"><img src="https://static.yeri.be/2015/02/referrer-1024x367.png" alt="referrer" class="wp-image-7008"/></a></figure> <p class="has-text-align-center"></p> <p>Second highest, after Twitter (<a href="https://t.co/" target="_blank" rel="noopener noreferrer">t.co</a>), was <a href="https://tweakers.net/nieuws/101397/belgische-banken-hebben-ssl-beveiliging-niet-op-orde.html" target="_blank" rel="noopener noreferrer">Tweakers</a> (Dutch website, oddly enough).</p> <p>OS wise, about 60% is Windows, 12% of OSX and 10% of iOS; 79% desktop, 15% phones, 6% tablets. Way more mobile than I expected to be honest.</p> Belgian bank & SSL slashdot effect

Quick wrap up of the slashdot effect 10 days ago.

A peak of 12k views on Monday 16/02, with a small buildup on Sunday (15/02).

slashdot

The top pages were Part 3, Part 1, Part 4 and Part 2 respectively.

De Redactie is the highest referrer, surpassing De Morgen (first to publish in printed media, front page) & Datanews (first to publish online):

referrer

Second highest, after Twitter (t.co), was Tweakers (Dutch website, oddly enough).

OS wise, about 60% is Windows, 12% of OSX and 10% of iOS; 79% desktop, 15% phones, 6% tablets. Way more mobile than I expected to be honest.

This was easily handled on a Debian virtual machine: running a dual core Xeon vCPU (3.2Ghz) with 2Gb of RAM. Nginx as webserver. No slowdown was noticed. Google Analytics reported peaks of ~100 concurrent users (but not sure what timeframe they consider "concurrent").

network

There was, what looks like, a DoS on Monday around 12h00 for about 30 minutes causing a 100% load (2.00 linux load, on 2 vCPUs), however there was no out of the ordinary traffic data peak -- but I didn't have time to look into it, and by the time I had notice it was already long over.

load

cpu

Interesting networks:

  • Usually Telenet & Belgacom consumer networks are high above anything else (they were still #1 and #2 respectively, this time), but closely following up where a lot of corporate networks, as as these:
  • Bank van Breda (177 pageviews)
  • ING (167)
  • Fortis (125)
  • KBC (114)
  • AXA (104)
  • And others (< 50 pageviews) Ogone, HP, Crelan, Argenta, Infrabel, Deutsche Bank, Microsoft, Vlaamse Overheid, AGFA, Getronics, De Post, etc.

Interesting referrers:

  • a bunch of intranets (fedict, kbc, ing),
  • a bunch of bank website & mailings: updated list on part 4.

Interesting reads:

  • Frank,
  • And a few comments on part 3 and part 4.

Ripple effect:

]]> misc 12belgiummediaslashdotssl