|
|
Finally I got around to buying an EdgeRouter X after folk here suggested it would speed up my VPN connections.
I need a couple of clues / advice as to the best way to set this up and integrate it into my LAN.
I have a FritzBox modem/router. Whatever happens I need that for my WiFi, VoIP and DECT. Obvs its connected to the POTS for my FTTC. The FritzBox is known to have a slow processor and it can't do decent VPN speeds, thus the EdgeRouter.
Between the Fritz and an Ethernet five port hub/switch I have about six or seven LAN cables.
Along with the EdgeRouter I've bought a new Ethernet 'smart' switch (TP-Link). The plan is for all of my LAN to run through this one switch, the older smaller one will be retired and the FritzBox relocated.
The simple way is just to have the EdgeRouter do my VPN. But does it need to be my main router, handle DHCP and DNS for example. Or how can I tell it to ask the Fritz for those?
My Fritz is at 182.168.1.1, I've set the EdgeRouter to be on 192.168.1.2 and plan to make the switch 192.168.1.3. Seems reasonable as they all have web interfaces.
Is having two routers a problem? I'm still going to have one or other do port forwarding, should I leave that on the Fritz or basically pass all my routing requirements over to the EdgeRouter?
Where would you start?
Thanks!
|
|
|
I don't think I'll be able to give step by step instructions.
What you want to do is possible but involves some learning as you go.
From my own experience I couldn't apply everything all at once and needed to progressively add configuration for each use case.
Something that is useful in any case is having handy is the list of other VPN endpoints and what type of VPN they are using.
EdgeRouter does not have to be your main router, especially if the incoming broadband is xDSL, and like you I continue to use the Fritz for Wi-Fi.
(However if i had need of multiple WiiFi access points I might pair EdgeRouter with an xDSL modem and retire the Fritz.)
When your EdgeRouter is ready to start accepting connections,
for IPsec based VPNs, you can certainly have Fritz forward the 500/udp and 4500/udp
This is the same as my approach.
For Wireguard, Fritz can forward 51820/udp
For me that would be a PC or VM rather that the EdgeRouter, but I don't current accept WG connections from the Internet.
If Wireguard becomes a first-class citizen on EdgeRouter like the direction it's going on pfSense I'll still end up with a mix of types.
I would recommend having systems on your LAN use your EdgeRouter as their only DNS server, so that it can resolve private namespaces (DNS suffixes), including for the EdgeRouter itself.
EdgeRouter can then be set to forward DNS queries (for anything it can't answer) to the Fritz.
For example my namespaces look like:
hostname.home.lan (on the normal network)
hostname.wg.home.lan (hosts reachable via wireguard VPN)
hostname. sitename. orgname.lan (hosts reachable at a workplace site via VPN)
As you can see, I've chose this so that EdgeRouter should be able to answer anything ending in .lan
( or else know who does have the answer)
and should never forward that to Fritz, avoiding DNS leakage.
This kind of scheme isn't possible on the Fritz itself as you can't even change the DNS domain name, but is possible when you run your own internal DNS service.
People sometimes make the mistake of handing out the 2nd DNS server as an Internet-based service such as 8.8.8.8 but that will be counter productive if using VPN.
It can be helpful to make sure all your internal hostnames have a FQDN in Edgerouter, particularly for hosts which run services you would like to connect to (by name).
These can be under either of these sections:
system static-host-mapping host-name
or
service dns forwarding options host-record=
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Fri 23-Jul-21 00:11:52)
|
|
|
From my own experience I couldn't apply everything all at once and needed to progressively add configuration for each use case.
That is sage advice. Plan it out well in advance and get the basics right and working and add / alter as you go.
Scattering network functions across boxes can be far more difficult to manage, maintain and diagnose any issues, especially in a moderately complex setup.
Personally I would ditch the Fritz in your situation. Get a DSL modem and maintain all the firewall/routing/VPN functionality in one place on the Ubiquiti box. If you then at some point migrate to FTTP then it will be a dead easy migration.
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
I don't think I'll be able to give step by step instructions.
No, of course not, I wouldn't expect that. All I need is a few clues, an overall strategy to help the penny drop. I'm happy to learn as I go. For example, as explained to me somewhere here earlier, if I'm port forwarding _into_ the ER-X for VPN, how does it know where to go to get back out? I need to set the 'next hop' and that needs to be the FritzBox (as it's connected to the WAN)? So I need a couple of clues about that.
And BTW, in case it's not clear or I'm unusual, I'm not using VPN to circumvent geo restrictions or for any paranoid reasons. The internet connection here is 'normal'. The VPN is for file sharing between sites and for when in a cafe and don't want to be exposed on their insecure WiFi (because I am paranoid!).
the list of other VPN endpoints and what type of VPN they are using.
Everything (site-to-site) is FritzBox using its built-in VPN. So - and here I think a penny is dropping - I need to configure the ER-X VPN, then I can port forward to it and the VPNs will still operate, it doesn't matter that its ER-X one end and FB the other. (But the plan is to have EdgeRouters at each site otherwise there's no throughput gain.)
I would recommend having systems on your LAN use your EdgeRouter as their only DNS server, so that it can resolve private namespaces (DNS suffixes), including for the EdgeRouter itself.
Mmmm... At the moment everything just gets DNS from the FB without my setting anything up. If the EX-R is doing DNS, how does my Mac know that? And my iPad which will be on the FB WiFi, how does it 'know'?
Can I leave the DNS for now, until I get the VPN running? What you have looks interesting but I need to learn a bit more first.
Thanks
|
|
|
Personally I would ditch the Fritz in your situation. Get a DSL modem and maintain all the firewall/routing/VPN functionality in one place on the Ubiquiti box. If you then at some point migrate to FTTP then it will be a dead easy migration.
I do have an old Openreach ECI modem I could do this with. And I agree, but... the FB is my WiFi, VoIP and DECT phone so I can't just remove it. (Well I could but I'd need to buy a WiFi thing and a VoIP thing and a DECT thing and that's too many things for the moment.)
|
|
|
If the EX-R is doing DNS, how does my Mac know that? And my iPad which will be on the FB WiFi, how does it 'know'?
Well, when your ER-X DNS is populated, you can tell FB's DHCP server to give out the address of ER-X as the DNS server (instead of the FB itself by default).
Sometimes it's forgotten that DHCP informs more than just a minimal IP/Subnet (and optional default Gateway).
You can leave DNS on the FB for now, but the only reason that works is all traffic goes though the FB regardless of whether it's going to be tunneled.
If the FB is eventually no longer doing the VPN tunnels it will cease to know about the IP ranges or hosts associated with remote sites.
I do tend to rant about DNS but that's from having worked in environments where it was not managed well.
If you find yourself hard-coding IPs everywhere or having to type IPs in your browser address bar, or to reach a network share it's a clue some names are missing.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Sat 24-Jul-21 03:36:09)
|
|
|
Forgot to mention in first reply,
if you are using either of the networks
192.168.0.0/24
192.168.1.0/24
It's generally a pain in the long run as you almost guarantee an address or routing conflict with another site, but especially if needing remote access when visiting another house.
The private address space has much more to choose from.
10.0.0.0/8 is commonly used by large enterprises but 172.16.0.0/12 less so,
and you can easily choose a /16 from which to carve out your own subnets.
For example, if you prefer to stick with subnets of familiar 192.168.0.0/16,
and have 15 or less sites you can do something like this:
Site 1 = 192.168.16-31.*
Site 2 = 192.168.32-47.*
Site 3 = 192.168.48-63.*
…
Watch out if using VMware, Virtualbox or similar because they create additional NICs and Networks under 192.168. too.
Visit any forum on VPN and you'll see people begging for ways to make it work without renumbering when they have invested alot of time already.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
|
|
|
Forgot to mention in first reply
I should have mentioned it in my OP. I seemed to learn I needed different sites to be on different subnets for VPN to work before I started so its never been an issue for me. I have four sites using 192.168.n.0/24 where n is either 1,2,3 or 4. (But not really as we have a 'system'.)
For example, if you prefer to stick with subnets of familiar 192.168.0.0/16,
and have 15 or less sites you can do something like this
That allows me to have VLANs if I understand correctly? We have very small networks with a few users on each and I can't see a reason to split them up. Sure I could put my IoT devices on a different VLAN but doesn't that mean I'd need to swop my Mac/iPhone over to the same VLAN in order to control them. For example there are some Philips Hue lights here which get turned on and off either using the app or by Siri via Apple Home. Sounds confusing.
Of course the FritzBox has a 'guest' network which we do use and I will want to ensure that is still available.
Thanks
|
|
|
When your EdgeRouter is ready to start accepting connections,
for IPsec based VPNs, you can certainly have Fritz forward the 500/udp and 4500/udp
This is the same as my approach.
Can you share your secret sauce settings on the EdgeRouter? I'm port forwarding 500 & 4500 and have set the ER-X VPN as the FritzBox. But the FritzBox at the remote end is saying in its logs
IKE error 0x2026
which means "no proposal chosen".
How should I choose my proposal?
Thanks
|
|
|
A proposal is nothing more than an offering of an encryption algorithm (including cipher and hash types) that an endpoint is willing to agree to. Each side can provide a list of such proposals (which may be just one as long as they agree).
In the Edgerouter CLI you can run
show vpn log tail
then wait for a VPN connection attempt or try to initiate one. CTRL+C to break out of the live log.
There are a couple of articles that might help you.
https://help.ui.com/hc/en-us/articles/115006567467-E...
https://en.avm.de/service/knowledge-base/dok/FRITZ-B...
However this article might have more information on what algorithms the Fritzbox actually supports in talking to something else, as it hides that level of detail from you when linking up 2 or more Fritzboxes.
https://en.avm.de/service/knowledge-base/dok/FRITZ-B...
On EdgeRouter-X I am currently using the following for IKE:
ike-group give-this-a-name {
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
and for ESP:
esp-group give-this-a-name {
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
For example, it looks like to work with Fritzbox you'll need to drop back to ikev1 in your key-exchange.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Mon 26-Jul-21 15:32:49)
|
|
|
show vpn log tail
Here you go!
Welcome to EdgeOS
woolwich@EdgeRouter:~$ show vpn log tail
Jul 26 15:01:35 00[DMN] signal of type SIGINT received. Shutting down
Jul 26 15:01:38 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.54-UBNT, mips)
Jul 26 15:12:19 00[DMN] signal of type SIGINT received. Shutting down
Jul 26 15:12:21 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.54-UBNT, mips)
Jul 26 15:17:26 00[DMN] signal of type SIGINT received. Shutting down
Jul 26 15:17:29 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.54-UBNT, mips)
Jul 26 15:18:58 00[DMN] signal of type SIGINT received. Shutting down
Jul 26 15:19:00 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.54-UBNT, mips)
Jul 26 16:02:08 00[DMN] signal of type SIGINT received. Shutting down
Jul 26 16:02:11 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.54-UBNT, mips)
Doesn't mean much to me...
On EdgeRouter-X I am currently using the following for IKE:
ike-group give-this-a-name {
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
and for ESP:
esp-group give-this-a-name {
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
So I've just used the GUI to set up the VPN. I'm not aware of any ESP settings. Can I select these settings in the Config Tree? I think I've already worked out I really need Ikev1 but I'm not clear where/how to set that.
Thanks..
Late edit re Ikev1, I see the Config Tree vpn / ipsec / ike-group / FOO0
ikev2-reaut no
key-exchange ikev1
lifetime mode 28800
So Ikev1 or 2?
Edited by Woolwich (Mon 26-Jul-21 17:07:25)
|
|
|
The EdgeRouter GUI is good enough so long as you only want the commonly used functions that have their own sections.
To answer your question, yes you can use the config tree to access all the settings that are normally only exposed in the CLI, though it may not be intuitive at first.
The thing about VPN is that there is a learning curve, and until you have the concepts down, it's hard to apply it to any particular kit without it tending towards trial and error.
That said, there are openly defined standards involved, and nothing proprietary that inherently forces you to use the same vendor kit on each side of a link (even if they simplify things by offering less choices when doing that as with just Fritzboxes or just EdgeRouters).
The two site-to-site Ubiquiti guides I followed were:
https://help.ui.com/hc/en-us/articles/115012831287
or
https://help.ui.com/hc/en-us/articles/115011377588
I've been using the second method, so as it happens I use the CLI to create VPNs using tunnel interfaces (VTIs).
In other words data going to and from the other side appears on its own virtual interface once the tunnel is up.
It's somewhat similar to when using an OpenVPN client, for which you get an extra interface appear with its own IP settings, and doesn't correspond with a physical port on your comptuter.
What I found was the VPN GUI's tabs was fine if you only wanted a basic site-to-site functionality using pre-shared keys to link with other EdgeRouters.
However I avoid using the VPN tabs because they work more like a wizard and can replace any additional settings with defaults (it's noted in the GUI).
I've later later added OSPF to my VTI tunnel interfaces for automatically exchanging routes for each site's subnets, but that's because I have a more dynamic set of sites to support.
It sounds like you'll have a fixed set of endpoints initially and won't need OSPF (yet).
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Mon 26-Jul-21 21:40:32)
|
|
|
The purpose of an IKE group and an ESP group are containers for related settings to use with one or more VPN connections. They actually make the site-to-site config shorter because they allow re-use where the same settings are needed.
You'll find that when creating a site-to-site connection, it makes reference to:
Phase 1) using an IKE group to tell it what proposals to exchange where both sides
- agree they want to talk to each other in principle,
- that the peer is indeed the intended site and not a phoney
- and this is also where the the authentication happens
(e.g. a pre-shared key or XAuth) or where certificates or RSA keys are exchanged if using that method.
Phase 2) using an ESP group to agree how to encapsulate and encrypt the traffic between the 2 networks once all the pre-requisites are satisfied.
For example this will not just encrypt data and IP headers (in an ESP packet)
but also wrap it in UDP if it needs to pass through another router using NAT, such as in your use case.
As far as the outer router (and all routers along the Internet path) are concerned this is then just regular UDP packets.
Phase 1 and 2 are something you need to read up on first if you want to make IKEv1 connections regardless of vendor, but I want to avoid trying to teach by forum posting.
There are probably Youtube videos that explain it better and with diagrams !
The code I posted was just example snippets from my config.
The tree structure of the config file is represented by curly brackets.
Sorry I should have found the forum code/pre block to preserve the cosmetic formatting.
I'll go back and see if I can fix that.
The syntax is similar to JSON, but also would be familiar to those who have worked on Juniper JunOS type routers.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Mon 26-Jul-21 21:42:42)
|
|
|
I linked you to Fritzbox article earlier about connecting a site to a non-Fritzbox router but I'll quote the sections that have algorithm information.
Requirements / Restrictions
-------------------------------------
The FRITZ!Box supports VPN connections according to the IPsec standard with ESP, IKEv1, and pre-shared keys.
Authentication Header (AH) and Perfect Forward Security (PFS) are not supported.
Supported IPSec algorithms for IKE phase 1:
Encryption method: AES with 256, 192, 128 bit, Triple DES with 168 bit or DES with 56 bit
Hash algorithms: SHA1 or MD5-96
The FRITZ!Box uses 1024-bit Diffie-Hellman initial key exchange (DH group 2).
It then also accepts 768, 1536, 2048 and 3072 bit (DH groups 1, 5, 14, and 15).
Supported IPSec algorithms for IKE phase 2:
Encryption method: AES with 256, 192, 128 bit, Triple DES with 168 bit or DES with 56 bit
Hash algorithms: SHA1 or MD5-96
The Diffie-Hellman group is determined by IKE phase 1
Compression: none, LZJH, or deflate
Most people won't want to bother with compression, which was historically used with dial-up and ADSL connections to squeeze every last bit of throughput through narrow pipes at the cost of computational overhead,
Similar to how PPP has options to save even a few bytes from its headers.
But mainly because modern data flows are much less compressible, if they already are compressed such as media content (jpg, png, gif, audio and video) and even web browsers already seamlessly negotiate gzip/deflate on the text content from the web server (html, css, js).
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Mon 26-Jul-21 21:27:25)
|
|
|
OK, I've been reading and I think I know a little more about phases etc. But you know what they say about a little knowledge...
Here's my setup
| Text | 1
| OK, forget that, the code won't format despite being plain code to start... |
Here's what I get out of the ER-X re the VPN
| Text | 1
23
45
67
89
1011
1213
1415
1617
1819
2021
2223
2425
2627
2829
3031
3233
3435
3637
3839
| vpn {
ipsec { auto-firewall-nat-exclude enable
esp-group FOO0 { proposal 1 {
encryption aes256 hash sha1
} }
ike-group FOO0 { proposal 1 {
dh-group 14 encryption aes256
hash sha1 }
} site-to-site {
peer [public IP address of remote site] { authentication {
mode pre-shared-secret pre-shared-secret ****************
} connection-type initiate
description London ike-group FOO0
local-address [public IP address of this site] tunnel 1 {
esp-group FOO0 local {
prefix 192.168.1.0/24 }
remote { prefix 192.168.2.0/24
} }
} }
}} |
So what I see here is no mention of ikev1 which I know I need for the FritzBox. Bit when I look at the ER-X Config Tree, in vpn / ipsec / ike-group / FOO0 I see "key-exchange - ikev1".
So I am or am not using ikev1?
Other thoughts: I have no idea if my port forward is set up correctly. I am forwarding UDP 500 & 4500 to 192.168.1.2 (the ER-X). I'm still not clear how traffic returns.
As far as I can see the ER-X is not replying to the FritzBox at the remote site. That's using the previously working site-to-site FritzBox to FritzBox connection. If I switch it on again at this end the connection comes up rightaway.
So, ikev1 and port forward? Or maybe firewall on the ER-X?
|
|
|
IKE version is set in the IKE group (but outside the proposal), the default is IKEv1 if not specified.
I think the auto-firewall-nat-exclude rule already takes care of the firewall policy on the EdgeRouter itself if not configured manually.
local-address is not the public IP of this site, but the address of the interface on the EdgeRouter itself that you want to use already encrypted traffic to depart/arrive on, so should be 192.168.1.2.
With regards to how traffic returns, a port forward (or destination NAT) is stateful in that matching reply traffic from your EdgeRouter back to the remote peer is recognised,
Plus if the EdgeRouter is initiating the tunnel from then even without any ports forwarded the Fritzbox your end would still pass replies back to the EdgeRouter. The port forwards are just a convenience to also allow the remote peer(s) to initiate (unsolicited).
Think about when you use a web browser, your main NAT router knows where to send replies to your outgoing requests even though the website doesn't see a connection from your private IP. And NAT knows which computer or phone the reply is intended for even if multiple local devices are browsing the same site.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Wed 28-Jul-21 19:34:06)
|
|
|
IKE version is set in the IKE group (but outside the proposal), the default is IKEv1 if not specified.
I think the auto-firewall-nat-exclude rule already takes care of the firewall policy on the EdgeRouter itself if not configured manually.
local-address is not the public IP of this site, but the address of the interface on the EdgeRouter itself that you want to use already encrypted traffic to depart/arrive on, so should be 192.168.1.2.
Interesting observation; the "Web address of this FRITZ!Box" is blank on the working site-to-site connections. It only asks for the remote IP and LAN addresses.
So it should work? But it doesn't. I've also deleted the VPN settings for this connection on the FritzBox and re-added them (so we know stuff like the shared secret is correct!). The two other site-to-site connections come up right away, my ER-X is still IKE error 0x2026 "no proposal chosen".
The FritzBox logs report of the successful connections state;
| Text | 1
23
| 29.07.2108-03-34VPN connection to Site E [censored IP]
IKE SA- DH2/AES-256/SHA2-512 IPsec SA- ESP-AES-256/SHA2-512/LT-3600was established successfully |
So, I can set DH 2 on the ER-X and AES 256 but not SHA 2 (only SHA 1 or MD5). Is that any sort of clue?
Or what else should I be looking at?
|
|
|
In the earlier AVM post I quoted, they say that Fritzbox does the initial DH exchange at group 2
so try adding a 2nd proposal inside your current IKE group,
keeping your proposal 1 that has DH group 14
AVM also say they don't support PFS so disable that in your ER-X ESP group.
On ER-X if you don't specify pfs it is enabled by default.
Defaults show up as implicit configuration in the same way you spotted the key-exchange version.
aes256 and sha1 are listed as compatible for both routers, and more importantly, the IPsec hardware offload on ER-X (MediaTek) supports that, so it's not worth going to higher aes or sha types.
Group 2 and no PFS would both be considered weak by modern standards, and given your latest output, maybe the AVM documentation is out of date?
It's tricky because I've never needed to tunnel to a Fritzbox, but I do have EdgeRouters talking to each other, to pfSense and to the Windows built-in L2TP over IPSec client, so there is cross-vendor compatibility if you can find the common algos.
Also what version firmware are you running on ER-X?
I am running v1.10.11 being the latest of that series.
There are versions of 2.x you can try if you prefer but not essential unless targeting features only developed for 2.x.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Fri 30-Jul-21 00:19:42)
|
|
|
try adding a 2nd proposal inside your current IKE group,
keeping your proposal 1 that has DH group 14
AVM also say they don't support PFS so disable that in your ER-X ESP group.
OK, some progress. I now have a different error message.
| Text | 1
| IKE error 0x203F "authentication failed" |
Now you'd think I just need to check the shared secret at both ends and all would be fine. No, that didn't help.
(Also, FWIW, its the DH 2 that gets me here, with or without pfs.)
Group 2 and no PFS would both be considered weak by modern standards, and given your latest output, maybe the AVM documentation is out of date?
The FritzBox is well known to be underpowered for VPN so I doubt that. I guess they wouldn't bother too much. But we can see how two FRitzBoxes connect so we can be sure of some configurations.
It's tricky because I've never needed to tunnel to a Fritzbox, but I do have EdgeRouters talking to each other
The plan is to have EdgeRouters at each site and retire the FritzBoxes from VPN duty. But I can't physically get to each location at the moment. So this is a bit of proof of concept. I will be at another site in a few days where I can try a ER-X to ER-X connection.
Also what version firmware are you running on ER-X?
The latest 2.whatever. Cos all the instruction pages say 'based on the latest firmware'.
Here's another rabbit hole to consider. Can I run the FritzBox and ER-X simultaneously for VPN? I have to keep the FB VPN on because because. It automatically port forwards 500 & 4500 UDP to its own VPN service. Can I run another VPN on different ports ER-X to ER-X? I see in the Config Tree under site to site
vpn / ipsec / site-to-site / peer / remote.public.IP.address / tunnel / 1 / remote : Remote parameters for interesting traffic
I can set a port ("Any TCP or UDP port" and the same is true for 'local'. So does this give the opportunity to connect over a different port? But it has to be two different ports. I'll research but if I could it means I could run some sites ER-X to ER-X and others ER-X to FritzBox. Which would solve a couple of problems.
|
|
|
Can I run another VPN on different ports ER-X to ER-X?
…
tunnel / 1 / remote : Remote parameters for interesting traffic
Afraid not - if you look at the context of these settings, it is the policy - for more granular specification of what local or remote traffic will qualify for encryption and tunneling, it is not the endpoints of the tunnel.
For example, if you had a VPN tunnel established but only wanted to use it when connecting to http servers inside the remote network prefix.
Native IPSec runs on ESP protocol (not TCP/UDP protocol)
while UDP ports 500 (IKE) and 4500 (NAT-traversal by encapsulation of ESP) are a set standard by definition.
If your local Fritzbox was still acting as an IPSec VPN endpoint I think it would eat the UDP traffic before forwarding it.
There are other VPN protocols that do everything on a single UDP port that is a configurable item, like Wireguard and OpenVPN.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Fri 30-Jul-21 23:12:53)
|
|
|
Is the authentication failed error seen on the local ER-X or remote Fritzbox?
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
|
|
|
Is the authentication failed error seen on the local ER-X or remote Fritzbox? On the remote FritzBox.
|
|
|
Looking at your config you are missing something from the authentication sections.
You've set the pre-shared key but no IDs (think: who am I and who are you).
https://help.ui.com/hc/en-us/articles/115013382567-E...
shows a couple of ways (either/or) of setting the (local-) id and remote-id that will be used by each end.
The article is also an example of when one side is behind NAT when deciding what to use as an ID.
If the Fritzbox does not expose the IDs and just configures them based on other information provided, you'll need to figure out what it uses.
Could be IP addresses, FQDNs (AVM call it those a web address which is confusing because it is not a URL) or some other unique label.
I still think you'll need to watch the ER-X VPN logs while connecting to see if the responses provide remaining hints.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Sat 31-Jul-21 15:42:45)
|
|
|
|
So I'm at the remote site. Port forwarding from the FritzBox to the ER-X for ports 500 & 4500. Ditto the other site. So EdgeRouter to EdgeRouter set up in site to site and
SFA
no connection, no tunnel no dice.
If I can't get two ER-Xs to talk to each other what hope to Fritz?
Like I say, I'm clearly missing something.
|
|
|
As mentioned earlier in the thread, have you enabled ESP (protocol 50) on the firewall?
I'm not a fan of Ubiquiti apart from their APs but we use a SG Pro at work so I have had some experience of setting up IPSEC.
Is the interface similar as I have a pic if it helps?
OPNSense
PiHole
Unifi for Wifi
|
Pages in this thread: 
Print Thread
Woolwich
