Reply
Highlighted
New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Since I had nearly a day of trial-and-error, here is my working config, if someone tries to accomplish sth. similar.

 

Very much thanks to @FAServers and @ryan3531, which did some clarifications in this thread: https://community.ubnt.com/t5/EdgeMAX/Guide-for-site-to-site-VPN-with-dynamic-IP-at-both-locations/m...

 

And now the configs (need to replace the PSK, the DynDNS hostnames of local and remote and the subnets of local and remote! If you are using an interface other than eth0 as WAN, change that as well.)

I defined LOCAL.HOST.NAME as the DynDNS-Hostname of the ER-Lite and REMOTE.HOST.NAME as the DynDNS-Hostname of the Fritz!Box. For DynDNS I use dns.he.net with my own domain.

 

A problem I encountered was that I also had L2TP over IPSec Remote Access configured on the EdgeRouter. According to the thread linked above, this only works if the PSK is the same for all Tunnels, so you need to use the same PSK for both the Site to Site tunnel and the remote access tunnels. This can be a security problem, but is ok for me, since I'm the only one using these devices.
If you use two EdgeRouters, you should check the "authentication rsa" mode (can't find the thread where I was reading about it, sorry) - but the Fritz!Box only does PSK, AFAIK. If someone finds out how to configure it using RSA or certificates, please let me know! Man Happy

 

EdgeOS (working von ER-Lite EdgeOS 1.8.0):

 

ubnt@router# show vpn ipsec 
 auto-update 60
 auto-firewall-nat-exclude enable
 esp-group espfritzbox {
     compression disable
     lifetime 3600
     mode tunnel
     pfs enable
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 ike-group ikefritzbox {
     lifetime 3600
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface eth0
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer REMOTE.HOST.NAME {
         authentication {
             id @LOCAL.HOST.NAME
             mode pre-shared-secret
             pre-shared-secret VERYSECRETPSK
             remote-id @REMOTE.HOST.NAME
         }
         connection-type initiate
         dhcp-interface eth0
         ike-group ikefritzbox
         tunnel 1 {
             allow-nat-networks disable
             allow-public-networks disable
             esp-group espfritzbox
             local {
                 prefix 192.168.0.0/24
             }
             remote {
                 prefix 192.168.178.0/24
             }
         }
     }
 }

 

Fritz!Box (working on Fritz!Box 7360v2 with FritzOS 6.30): --> import this via "Internet -> Freigaben -> VPN -> VPN-Verbindung hinzufügen -> Eine VPN-Konfiguration aus einer vorhandenen VPN-Einstellungsdatei importieren")

vpncfg {
	connections {
		enabled = yes;
		conn_type = conntype_lan;
		name = "LOCAL.HOST.NAME";
		always_renew = yes;
		reject_not_encrypted = no;
		dont_filter_netbios = yes;
		localip = 0.0.0.0;
		local_virtualip = 0.0.0.0;
		remoteip = 0.0.0.0;
		remote_virtualip = 0.0.0.0;
		remotehostname = "LOCAL.HOST.NAME";
		keepalive_ip = 0.0.0.0;
		localid {
			fqdn = "REMOTE.HOST.NAME";
		}
		remoteid {
			fqdn = "LOCAL.HOST.NAME";
		}
		mode = phase1_mode_idp;
		phase1ss = "all/all/all";
		keytype = connkeytype_pre_shared;
		key = "VERYSECRETPSK";
		cert_do_server_auth = no;
		use_nat_t = yes;
		use_xauth = no;
		use_cfgmode = no;
		phase2localid {
			ipnet {
				ipaddr = 192.168.178.0;
				mask = 255.255.255.0;
			}
		}
		phase2remoteid {
			ipnet {
				ipaddr = 192.168.0.0;
				mask = 255.255.255.0;
			}
		}
		phase2ss = "esp-all-all/ah-none/comp-all/pfs";
		accesslist = "permit ip any 192.168.0.0 255.255.255.0";
	}
	ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
			    "udp 0.0.0.0:4500 0.0.0.0:4500";
}

 

Emerging Member
Posts: 46
Registered: ‎07-03-2013
Kudos: 18
Solutions: 3

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

[ Edited ]

UPDATE III: My tunnel is back. I changed set local-address to my foo.bar FQDN.

  I can confirm it works and the s2s vpn renews itself after a change in IP's on the fritzbox after 60 sec.

[edit vpn ipsec site-to-site peer fritz.foo.bar]
@ERPoE# set local-address foo.bar

I have an ERPoE-5 on v1.8.5.a1 in Spain and a FritzBox 3770 with FritzOS 6.30 in Germany.

Thankyou @BGMogli for sharing your knowledge. It saves time for all of usCheers2 I had given up on s2s vpn.

My working FrtizBox 3770 6.30 VPN cfg file:

/*
 * C:\fritzbox_fritz_foo_bar.cfg
 * Wed Apr 13 18:52:34 2016
 */

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "foo.bar";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "foo.bar";
                localid {
                        fqdn = "fritz.foo.bar";
                }
                remoteid {
                        fqdn = "foo.bar";
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "same_as_l2tp_pre_shared_key";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.100.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.10.10.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 10.10.10.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF

My working ERPoE's VPN config:

@ERPoE# show vpn ipsec
 auto-update 60
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 ike-group FOO0 {
     lifetime 3600
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface pppoe0
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer fritz.foo.bar {
         authentication {
             mode pre-shared-secret
             pre-shared-secret same_as_l2tp_psk
         }
         connection-type initiate
         description "VPN to fritz.foo.bar"
         ike-group FOO0
         local-address foo.bar
         tunnel 1 {
             esp-group FOO0
             local {
                 prefix 10.10.10.0/24
             }
             remote {
                 prefix 192.168.100.0/24
             }
         }
     }
 }

I used all your config parameters for both routers and used the same psk as my l2tp tunnel

@ERPoE:~$ show vpn ipsec sa
peer-fritz.foo.bar-tunnel-1: #39, ESTABLISHED, IKEv1, 064f0xxxxxx92b6f:01b6xxxxxxxf061a
local 'foo.bar' @ 2.136.94.1
remote 'fritz.foo.bar' @ 78.52.81.239
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 413s ago, reauth in 2596s
peer-fritz.foo.bar-tunnel-1: #7, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
installed 660 ago, rekeying in 1912s, expires in 2940s
in a2dc6a9f, 282947 bytes, 740 packets, 1s ago
out a7bd27df, 2121226 bytes, 47161 packets, 0s ago
local 10.10.10.0/24
remote 192.168.100.0/24
peer-fritz.foo.bar-tunnel-1: #7, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
installed 413 ago, rekeying in 2274s, expires in 3188s
in aa6e37cf, 120035 bytes, 628 packets, 1s ago
out a8091c5f, 967966 bytes, 15270 packets, 0s ago
local 10.10.10.0/24
remote 192.168.100.0/24
@ERPoE:~$ show vpn ipsec status
IPSec Process Running PID: 6468

2 Active IPsec Tunnels

IPsec Interfaces :
pppoe0 (no IP on interface statically configured as local-address for any VPN peer):idea:

o@ERPoE:~$ show vpn ike secrets
Local IP/ID Peer IP/ID
----------- -----------
foo.bar fritz.foo.bar
N/A %any

Secret: "same_as_l2tp_psk"


Local IP/ID Peer IP/ID
----------- -----------
0.0.0.0 0.0.0.0
N/A N/A

Secret: "l2tp_psk"

@ERPoE:~$ ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_req=1 ttl=64 time=74.7 ms
64 bytes from 192.168.100.1: icmp_req=2 ttl=64 time=74.4 ms
64 bytes from 192.168.100.1: icmp_req=3 ttl=64 time=74.5 ms
--- 192.168.100.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 8011ms
rtt min/avg/max/mdev = 74.057/74.427/74.729/0.264 ms

  I can confirm it works and the s2s vpn renews itself after a change in IP's on the fritzbox after 60 sec.

New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Your welcome Man Happy

 

As described in the linked post, dhcp-interface doesn't work on pppoe-Interfaces. In this case just use local-address 0.0.0.0 (or any, since this is the same).

 

Maybe I try to get it running with other cryptography, but currently it agrees on AES256-SHA1 for both phase 1 and 2, which is fine for me. I would change to AES128 to give the CPUs (especially the Fritz!Box) some more rest.

New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

[ Edited ]

Re to @Adrao, UPDATE II:

You said it was working with local-address 0.0.0.0, then just adjust it back Man Wink Or try setting local-address edgeos.foo.bar. I did set the last option, but EdgeOS told me to only set one of local-address or DHCP interface.

Emerging Member
Posts: 46
Registered: ‎07-03-2013
Kudos: 18
Solutions: 3

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

[ Edited ]

I'm trying to debug to pin down the problem. The tunnel goes up when I re-upload the configuration file on the fritzbox.

 

Yesterday I wasn't at home when the tunnel went down but my IP changes every 24h on my fritzbox. I suspect when the IP changed the tunnel went down and I couldn't re-established by initiating a connection from the edgerouter. I've tried through the VPN wizard, CLI and through the config tree with no results.

 

I believe it's because I'm missing the authentication id @foo.bar and remote-id @fritz.foo.bar.I keep encountering the 'set vpn ipsec site-to-site foo.bar local-address any/0.0.0.0' not working due to authentication ID already being specified so the tunnel cannot renew itself when the IP changes.

 

Why can't I have both authentication ID and local-address any? Is this a bug?

 

I have specified like you 'set vpn ipsec auto-update 60' for IPsec deamon. What does this do exactly? I have also specified 'vpncfg { connections { always_renew = yes;' on the fritz.box. Do I also need DPD? Does the fritzbox support this?

 

I can't wait till my ISP renews my IP so I'll just force it and see if the tunnel can be re-established.

Here are my logs on the fritz box

 

28.04.16	15:14:22	VPN-Verbindung zu bitcoin.gal wurde erfolgreich hergestellt.
28.04.16	14:20:27	VPN-Verbindung zu bitcoin.gal wurde erfolgreich hergestellt.
28.04.16	00:33:39	Dynamic DNS-Fehler: Die Dynamic DNS-Aktualisierung war erfolgreich, anschließend trat jedoch ein Fehler bei der DNS-Auflösung auf.
28.04.16	00:30:08	VPN-Fehler: bitcoin.gal, IKE-Error 0x2027
28.04.16	00:29:36	Internetverbindung wurde erfolgreich hergestellt. IP-Adresse: y.y.y.y, Breitband-PoP: HN-XDSL
28.04.16	00:29:35	Internetverbindung wurde getrennt.
27.04.16	22:57:28	VPN-Verbindung zu bitcoin.gal wurde erfolgreich hergestellt.
27.04.16	22:03:32	VPN-Verbindung zu bitcoin.gal wurde erfolgreich hergestellt.

 

 My EdgeRouter VPN logs

Apr 28 13:23:16 14[IKE] <peer-fritz.foo.bar-tunnel-1|2> initiating Main Mode IKE_SA peer-fritz.foo.bar-tunnel-1[2] to y.y.y.y
Apr 28 13:26:01 16[IKE] <peer-fritz.foo.bar-tunnel-1|2> initiating Main Mode IKE_SA peer-fritz.foo.bar-tunnel-1[2] to y.y.y.y
Apr 28 13:26:27 00[DMN] signal of type SIGINT received. Shutting down
Apr 28 13:26:30 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64)
--------> I reupload the config to the Fritzbox and the tunnel goes live.
Apr 28 14:20:26 10[IKE] <1> 78.52.80.149 is initiating a Main Mode IKE_SA
Apr 28 14:20:27 11[IKE] <peer-fritz.foo.bar-tunnel-1|1> IKE_SA peer-fritz.foo.bar-tunnel-1[1] established between x.x.x.x[x.x.x.x]...y.y.y.y[fritz.foo.bar]
--------> ER side is using the IP x.x.x.x on pppoe0 and the fritzbox frtiz.foo.bar FQDN Apr 28 14:20:27 15[IKE] <peer-fritz.foo.bar-tunnel-1|1> CHILD_SA peer-fritz.foo.bar-tunnel-1{4} established with SPIs cbc743b1_i 03826551_o and TS 10.10.10.0/24 === 192.168.100.0/24 @ERPoE:~$ show vpn ipsec sa peer-fritz.foo.bar-tunnel-1: #1, ESTABLISHED, IKEv1, 1e3bf1f28e9582c4:12868e2342f13426 local 'x.x.x.x' @ x.x.x.x remote 'fritz.foo.bar' @ y.y.y.y 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 established 620s ago, reauth in 2074s peer-fritz.foo.bar-tunnel-1: #4, INSTALLED, TUNNEL-in-UDP, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024 installed 619 ago, rekeying in 1914s, expires in 2981s in cbc743b9, 0 bytes, 0 packets out 73826551, 0 bytes, 0 packets local 10.10.10.0/24 remote 192.168.100.0/24 @ERPoE:~$ show vpn ipsec state src x.x.x.x dst y.y.y.y proto esp spi 0x1382655f reqid 4 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x11c2658bd065a1dcca481dde0d86b1ff 96 enc cbc(des3_ede) 0x10310271dd9e25e9f4aa1c6550b95473f1aaa2fe8b28826f encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 src y.y.y.y dst x.x.x.x proto esp spi 0x1bc743bf reqid 4 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x15510ad5e49b6ae7a3d474316939faef 96 enc cbc(des3_ede) 0x15b3e4055973d0d83a842613f3051d7fb5c7c7693263318f encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 @ERPoE:~$ show vpn ipsec status IPSec Process Running PID: 13669 1 Active IPsec Tunnels IPsec Interfaces : pppoe0 (x.x.x.x) @ERPoE:~$ show vpn ipsec policy src 192.168.100.0/24 dst 10.10.10.0/24 dir fwd priority 2883 tmpl src y.y.y.y dst x.x.x.x proto esp reqid 4 mode tunnel src 192.168.100.0/24 dst 10.10.10.0/24 dir in priority 2883 tmpl src y.y.y.y dst x.x.x.x proto esp reqid 4 mode tunnel src 10.10.10.0/24 dst 192.168.100.0/24 dir out priority 2883 tmpl src x.x.x.x dst y.y.y.y proto esp reqid 4 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 @ERPoE:~$ show vpn ike status IKE Process Running PID: 13669 @ERPoE:~$ show vpn ike secrets Local IP/ID Peer IP/ID ----------- ----------- %any 0.0.0.0 N/A N/A Secret: "same_l2tp_psk" Local IP/ID Peer IP/ID ----------- ----------- 0.0.0.0 0.0.0.0 N/A N/A Secret: "same_l2tp_psk"

I can ping successfully and traffic goes both ways. But I doubt it will stay up after my IP changes on my fritz.box.

 

FritzBox.jpg

Established Member
Posts: 2,439
Registered: ‎05-15-2014
Kudos: 788
Solutions: 178

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

[ Edited ]

The problem is that you're using PSK with dynamic ends. To be more precise look at sudo cat /etc/ipsec.secrets where all the PSK (or links to keys) are stored. If you have multiple dynamic ends, only the first line in the above file identified by any is used.

 

The solution, if you can't move to static IPs, is to use RSA or x509 for authentication. Withe these methods you can use identifiers and match the tunnels precisely.

 

Or workaround is, make all your PSKs to be the same. In this case the first match will work for all.

 

I have close to 10 dynamic VPN ends, including the concentrator is on dynmic IP, all identifiedd by different x509 cert working like charm. My endpoints are various UBNT, ZyXEL and Draytek systems.

 

One more thing, you should identify the dynamic end with % prefix. i.e. peer %my.peer.com. This will allow the tunnel rebuild much faster if the IP of the end changes. See this link for more details.

TEKUX - IT Consulting and Services
New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Thanks @BranoB, I will look into the strongSWAN docs for %.

 

That's why I said the PSKs MUST be the same. AFAIK the Fritz!Box has it's own closed-source IPSec implementation, not supporting RSA auth and x509 auth is unknown how to do (all configurations one can find from AVM [the manufacturer] only use PSK).

 

>> I have specified like you 'set vpn ipsec auto-update 60' for IPsec deamon. What does this do exactly? I have also specified 'vpncfg { connections { always_renew = yes;' on the fritz.box.

auto-update re-reads the configuration all x seconds and resolves the hostname again, so if the DynDNS changes, the tunnel will try to connect to the new IP after around 60s.

 

>> Do I also need DPD? Does the fritzbox support this?

AFAIK the Fritz!Box supports it somehow, but not fully - see http://www.ip-phone-forum.de/showthread.php?t=218451&p=1573855&viewfull=1#post1573855

 

>> I believe it's because I'm missing the authentication id @foo.bar and remote-id @fritz.foo.bar.I keep encountering the 'set vpn ipsec site-to-site foo.bar local-address any/0.0.0.0' not working due to authentication ID already being specified so the tunnel cannot renew itself when the IP changes.

Sorry, overlooked that in the config. You need to specify them, else the devices cannot recognize each other.

New Member
Posts: 9
Registered: ‎09-28-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

@BranoB@Adrao, and @BGMogli just a heads up. I rediscovered this thread last night after updtaing an ERX to 1.8

I totally spaced that you were referencing my first thread from way back regarding dynamic tunnels with PSKs. Anyways as BrandoB suggested 509X certificates or Keys are more secure and are a good workaround to the StrongSwan "%any" psk matching limitations.

 

I thought I would share with you though that with a little finangling you can use multiple PSKs with dynamic endpoints which allows you to have tunnels to endpoints you do not control. 

 

They key to this is to not have the StrongSwan engine triger an "any" match. Im not 100% sure on how this happens under the hood but I stubled upon it the other day. Perhaps somene who knows more about this can elaborate on how this is actually working but I have done a fair bit of testing and cant find any issues with it. It does however require you to have hostnames for your dynamic addresses.

 

Please see my 2 site config below that is working with two dynamic tunnels with different PSKs.

ubnt@ERX# show vpn ipsec
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     compression disable
     lifetime 3600
     mode tunnel
     pfs dh-group2
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 esp-group FOO1 {
     compression disable
     lifetime 3600
     mode tunnel
     pfs enable
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 ike-group FOO0 {
     dead-peer-detection {
         action restart
         interval 30
         timeout 30
     }
     key-exchange ikev2
     lifetime 28800
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ike-group FOO1 {
     key-exchange ikev1
     lifetime 28800
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface eth1
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer dynamicPeer1.net {
         authentication {
             id @dynamicHostname.net
             mode pre-shared-secret
             pre-shared-secret Secret1
             remote-id @dynamicPeer1.net
         }
         connection-type initiate
         description "Dynamic VPN 1"
         ike-group FOO0
         local-address dynamicHostname.net
         tunnel 1 {
             allow-nat-networks disable
             allow-public-networks disable
             esp-group FOO0
             local {
                 prefix 192.168.1.0/24
             }
             remote {
                 prefix 192.168.3.0/24
             }
         }
     }
     peer dynamicPeer2.net {
         authentication {
             id @dynamicHostname.net
             mode pre-shared-secret
             pre-shared-secret Secret2
             remote-id @dynamicPeer2.net
         }
         connection-type initiate
         description "Dynamic VPN 2"
         ike-group FOO1
         local-address dynamicHostname.net
         tunnel 1 {
             allow-nat-networks disable
             allow-public-networks disable
             esp-group FOO1
             local {
                 prefix 192.168.1.0/24
             }
             remote {
                 prefix 192.168.2.0/24
             }
         }
     }
 }

 

After reading this I realize that perhaps this has to do with one tunnel being ikev1 and the other being ikev2 but I'm pretty sure that it worked when they wrer both v1 aswell. YMMV

Let me know and post back if this helped at all.

 

New Member
Posts: 9
Registered: ‎09-28-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

I just tested it and can confirm that even if both tunnels are ikev1 they wil come up with different keys. Still not sure why this is but hey..... If it ain't broke....

Established Member
Posts: 2,439
Registered: ‎05-15-2014
Kudos: 788
Solutions: 178

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Can you post content of /etc/ipsec.secrets? (obfuscate the actual keys, but I'd like to see all the lines and selectors)

TEKUX - IT Consulting and Services
New Member
Posts: 9
Registered: ‎09-28-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Hi @BranoB 

Here is the contents of the ipsec.secrets file. I have replaced the hostnames and keys with placeholders. If you can shed any light on why this works that would be great.

 

 

# generated by /opt/vyatta/sbin/vpn-config.pl

dynamicHostname.net dynamicPeer1.net @dynamicHostname.net @dynamicPeer1.net : PSK "Secret1"
dynamicHostname.net dynamicPeer2.net @dynamicHostname.net @dynamicPeer2.net : PSK "Secret2"
~
~
~

 

I look forware to hearing back from you.

 

 

 

Established Member
Posts: 2,439
Registered: ‎05-15-2014
Kudos: 788
Solutions: 178

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Yes, this is the way to do it. As you said, don't allow for any match, otherwise first line with any will match.

I did several tests like this before when StrongSwan was on 4.x version and it never worked reliably for me. Then I moved to x509. ...maybe they changed something in StrongSwan 5.x ...or maybe I was just doing something wrong. ...glad it's working now.

TEKUX - IT Consulting and Services
New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Yeah, that looks good. However I also need L2TP, and that does automatically configure an %any target, so no solution for me.

 

root@router:~# cat /etc/ipsec.secrets 
# generated by /opt/vyatta/sbin/vpn-config.pl

1.2.3.4 remote.fqdn @local.fqdn @remote.fqdn : PSK "MYSECRETPSK" #dhcp-interface=eth0#
### Vyatta L2TP VPN Begin ###
1.2.3.4 %any : PSK "MYSECRETPSK" #dhcp-ra-interface=eth0#
### Vyatta L2TP VPN End ###
Established Member
Posts: 2,439
Registered: ‎05-15-2014
Kudos: 788
Solutions: 178

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

That should be OK, since the any target is on last line. All my tests indicate that the file is matched from top to bottom (I could not find this in any documentation though) ... so having any on last line should not break anything.

TEKUX - IT Consulting and Services
New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)


BranoB wrote:

That should be OK, since the any target is on last line. All my tests indicate that the file is matched from top to bottom (I could not find this in any documentation though) ... so having any on last line should not break anything.


Sorry, but that did not work for me. Maybe you need to use aggresive mode in this case? I did only get it working using the same PSK as for L2TP.

Established Member
Posts: 2,439
Registered: ‎05-15-2014
Kudos: 788
Solutions: 178

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Hmm, don't know, as I mentioned I abandoned PSK long time ago. Now I'm using x509 certs for all site-to-site and client-to-site connections and I can tell you they are all 100% stable and all come up always instantly.

TEKUX - IT Consulting and Services
New Member
Posts: 3
Registered: ‎05-05-2016

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

I'm a Juniper guy, and do many dynamic to static vpns and you must use agressive mode. 

Established Member
Posts: 2,439
Registered: ‎05-15-2014
Kudos: 788
Solutions: 178

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

Yes, in aggressive mode the negotiation is done in 3 steps only and identifier is not encrypted. As such the PSK matching by ID works.

But there are serious security implications of using aggressive mode. Nice summary is here and here. Some additional reading here.

TEKUX - IT Consulting and Services
New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

[ Edited ]

BranoB wrote:

Yes, in aggressive mode the negotiation is done in 3 steps only and identifier is not encrypted. As such the PSK matching by ID works.

But there are serious security implications of using aggressive mode. Nice summary is here and here. Some additional reading here.


That's why I don't like to use the aggressive mode. StrongSWAN even renames itself to weakSWAN if used with aggressive mode and PSK Man Very Happy

For me it's fine to use the same PSK as I am the only one with the configs Man Wink

 

And I can't move to RSA or X.509 because that isn't supported (or at least noone knows how to configure it) on the crappy IPSec implementation of the Fritz!Box Man Sad

 

@Adrao, yesterday my tunnel was down, however phase 1 was still established. Don't know what happened. After the testing with the different PSKs the tunnel came up fine again. I will monitor my logs next time that happens.

Did you try using aes128 with the Fritz!Box? I tried it yesterday, but if I remember correctly with another PSK. Then I tried it again using the original PSK and multiple proposals on the EdgeOS side and they agreed again on AES256. Would like to change to AES128 to get a bit load off both the routers, as AES128 is still enough for me.

New Member
Posts: 10
Registered: ‎12-05-2015
Kudos: 1

Re: HOW TO: IPSec Site to Site VPN with both dynamic IPs (between EdgeRouter and Fritz!Box)

[ Edited ]

Ah, it already happened again last evening...

 

Fritz!Box:

05.05.16 21:25:41	VPN-Fehler: local.fqdn, IKE-Error 0x203d
=> doc says: IKE-Error 0x203D: "phase 1 sa removed during negotiation"

EdgeOS (/var/log/charon.log):

May  5 20:34:02 12[IKE] <3> 2.3.4.5 is initiating a Main Mode IKE_SA
May  5 20:34:02 16[IKE] <peer-remote.fqdn-tunnel-1|3> IKE_SA peer-remote.fqdn-tunnel-1[3] established between 1.2.3.4[local.fqdn]...2.3.4.5[remote.fqdn]
May  5 20:34:03 07[IKE] <peer-remote.fqdn-tunnel-1|3> CHILD_SA peer-remote.fqdn-tunnel-1{3} established with SPIs c5914b6f_i 66d4c3bb_o and TS 172.31.0.0/16 === 172.16.0.0/14 
May  5 21:16:18 07[KNL] creating rekey job for ESP CHILD_SA with SPI c5914b6f and reqid {3}
May  5 21:16:19 11[IKE] <peer-remote.fqdn-tunnel-1|3> CHILD_SA peer-remote.fqdn-tunnel-1{3} established with SPIs ce83fadc_i b80bbb96_o and TS 172.31.0.0/16 === 172.16.0.0/14 
May  5 21:22:55 06[KNL] creating rekey job for ESP CHILD_SA with SPI 66d4c3bb and reqid {3}
May  5 21:25:41 14[IKE] <peer-remote.fqdn-tunnel-1|3> closing CHILD_SA peer-remote.fqdn-tunnel-1{3} with SPIs c5914b6f_i (0 bytes) 66d4c3bb_o (0 bytes) and TS 172.31.0.0/16 === 172.16.0.0/14 
May  5 21:25:41 14[IKE] <peer-remote.fqdn-tunnel-1|3> closing CHILD_SA peer-remote.fqdn-tunnel-1{3} with SPIs ce83fadc_i (0 bytes) b80bbb96_o (0 bytes) and TS 172.31.0.0/16 === 172.16.0.0/14 
May  5 21:25:42 14[IKE] <peer-remote.fqdn-tunnel-1|3> deleting IKE_SA peer-remote.fqdn-tunnel-1[3] between 1.2.3.4[local.fqdn]...2.3.4.5[remote.fqdn]
May  5 21:25:42 08[IKE] <4> 2.3.4.5 is initiating a Main Mode IKE_SA
May  5 21:25:42 09[IKE] <peer-remote.fqdn-tunnel-1|4> IKE_SA peer-remote.fqdn-tunnel-1[4] established between 1.2.3.4[local.fqdn]...2.3.4.5[remote.fqdn]
May  5 22:13:14 15[IKE] <peer-remote.fqdn-tunnel-1|4> reauthenticating IKE_SA peer-remote.fqdn-tunnel-1[4] actively
May  5 22:13:14 15[IKE] <peer-remote.fqdn-tunnel-1|4> initiating Main Mode IKE_SA peer-remote.fqdn-tunnel-1[5] to 2.3.4.5
May  5 22:13:15 05[IKE] <peer-remote.fqdn-tunnel-1|5> IKE_SA peer-remote.fqdn-tunnel-1[5] established between 1.2.3.4[local.fqdn]...2.3.4.5[remote.fqdn]
...

The CHILD_SA never comes up again, EdgeOS says that SA is established, and Fritz!Box says nothing (no log entries, VPN shown as disconnected) [status in the morning]:

root@router:~# show vpn ipsec sa
peer-remote.fqdn-tunnel-1: #19, ESTABLISHED, IKEv1, 81a18ac68db4d391:412c6767b28ba7b2
  local  'local.fqdn' @ 1.2.3.4
  remote 'remote.fqdn' @ 2.3.4.5
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 461s ago, reauth in 2063s

Someone has an idea how to fix that?

 

If I restart VPN on EdgeOS (# restart vpn) it wents up nicely again.

Reply