Why an IPsec tunnel?
Previously I used a tinc tunnel between me and my parents’ server. This situation was not ideal because my parents’ server had to be the gateway for some things to be able to use them via the tunnel, while the FRITZ!Box was the real gateway. Since I wanted to replace my gateway with an EdgeRouter Lite, I used this to setup an IPsec tunnel with the FRITZ!Box.
VPN setup on the FRITZ!Box
When searching the internet I found a good guide by Yeri and used it to create the vpn config.
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "VPN parents-me";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "lacel.example.org";
localid {
fqdn = "chiad.example.org";
}
remoteid {
fqdn = "lacel.example.org";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.0.3.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.0.0.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 10.0.0.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Both the example.org hostnames have to resolve to the right IP’s to get it to work. Then I loaded this configuration in the FRITZ!Box by going to Internet -> Permit Access -> VPN and choosing the Add VPN Connection button. There I choose the Import a VPN configuration from an existing VPN settings file and loaded the file above. To activate this functionality, the FRITZ!Box has to be rebooted.
IPsec on EdgeRouter
To setup the EdgeRouter Lite I used the following configuration. The FOO0 names are just names which will also be used when creating the config from the GUI. My external interface is a PPPoE connection to my ISP.
set system offload ipsec enable
edit vpn ipsec
set auto-firewall-nat-exclude enable
set ipsec-interfaces interface pppoe0
edit esp-group FOO0
set compression disable
set lifetime 3600
set mode tunnel
set pfs enable
set proposal 1 encryption aes256
set proposal 1 hash sha1
set ikev2-reauth no
set key-exchange ikev1
set lifetime 28800
set proposal 1 dh-group 2
set proposal 1 encryption aes256
set proposal 1 hash sha1
top
# this matches the vpncfg.connections.localid.fqdn of the fritz config
edit vpn ipsec site-to-site peer chiad.example.org
set authentication mode pre-shared-secret
set authentication pre-shared-secret **********
set connection-type initiate
set description 'VPN to chiad.example.org'
set ike-group FOO0
set ikev2-reauth inherit
set local-address 83.A.B.C
edit tunnel 1
set allow-nat-networks disable
set allow-public-networks disable
set esp-group FOO0
set local prefix 10.0.0.0/24
set remote prefix 10.0.3.0/24
top
At first I used 83.D.E.F as name for the site-to-site peer name, but this resulted in only getting to the “isakmp: phase 2/others ? inf[E]” stage in setting up the connection. This is something I saw when using tcpdump on the EdgeRouter. To fix that issue I had to change the site-to-site peer name to match the value (chiad.example.org) that was configured on the FRITZ!Box.
Useful commands
During the troubleshooting I found some useful commands which can be used on the EdgeRouter to get information. I don’t know of any way to analyze the FRITZ!Box config.
sudo ipsec statusall
sudo tail -F /var/log/charon.log
sudo swanctl --log
show ip route table 220
show vpn log tail
show vpn debug peer <peerip>
# Verify that IKE is up
show vpn ike sa
# Verify that IPSec tunnel is up
show vpn ipsec saNow I’m really glad my new setup is working, so I can get rid of the ‘double gateway’.