Unifi VPN Site 2 Site mit Fritz.Box
https://blog.hendrik.li/posts/site-to-site-vpn-usg-fritzbox
vpncfg {
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan; // Site2Site
name = "<CONNECTION_NAME>";
always_renew = yes; // Von Fritz!Box initiierte Verbindung aufrechterhalten
reject_not_encrypted = no; // Internetzugang neben VPN erlauben
dont_filter_netbios = no; // NetBIOS filtern (bei Bedarf auf 'yes' setzen)
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "<REMOTE_HOSTNAME>";
keepalive_ip = 0.0.0.0; // Optional: Ständig erreichbare IP auf der Gegenseite, um Verbindungsabbruch frühzeitig zu erkennen
localid {
fqdn = "<LOCAL_HOSTNAME>";
}
remoteid {
fqdn = "<REMOTE_HOSTNAME>";
}
mode = phase1_mode_idp; // Aggressive mode: 'phase1_mode_aggressive'
phase1ss = "all/all/all"; // https://avm.de/fileadmin/user_upload/DE/Service/VPN/ike_1.pdf
keytype = connkeytype_pre_shared;
key = "<PRE_SHARED_KEY>";
cert_do_server_auth = no;
use_nat_t = yes; // NAT traversal
use_xauth = no; // Keine zusätzliche XAUTH Authentifizierung
use_cfgmode = no; // Keine Konfigurationsdetails an die Gegenseite pushen (Cisco MODECFG)
phase2localid {
ipnet {
ipaddr = <LOCAL_PRIVATE_SUBNET>;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = <REMOTE_PRIVATE_SUBNET>;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs"; // https://avm.de/fileadmin/user_upload/DE/Service/VPN/ike_2.pdf
// Verwende keinen 'Authentication Header'. AH ist inkompatibel mit NAT und ESP reicht.
accesslist = "permit ip any <REMOTE_PRIVATE_SUBNET> 255.255.255.0",
"permit ip any <REMOTE_PRIVATE_SUBNET_2> 255.255.255.0"; // Optional, falls weitere Netzwerke erreicht werden sollen. Auf Rückrouten achten!
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
{
"vpn": {
"ipsec": {
"esp-group": {
"ESP-FritzBox": {
"compression": "disable",
"lifetime": "3600",
"mode": "tunnel",
"pfs": "enable",
"proposal": {
"1": {
"encryption": "aes256",
"hash": "sha1"
}
}
}
},
"ike-group": {
"IKE-FritzBox": {
"lifetime": "3600",
"key-exchange": "ikev1",
"proposal": {
"1": {
"dh-group": "2",
"encryption": "aes256",
"hash": "sha1"
}
}
}
},
"ipsec-interfaces": {
"interface": [
"eth0"
]
},
"nat-networks": {
"allowed-network": {
"0.0.0.0/0": "''"
}
},
"nat-traversal": "enable",
"auto-firewall-nat-exclude": "enable",
"auto-update": "60",
"site-to-site": {
"peer": {
"<REMOTE_HOSTNAME>": {
"authentication": {
"mode": "pre-shared-secret",
"pre-shared-secret": "<PRE_SHARED_KEY>",
"id": "<LOCAL_HOSTNAME>",
"remote-id": "<REMOTE_HOSTNAME>"
},
"connection-type": "initiate",
"ike-group": "IKE-FritzBox",
"ikev2-reauth": "inherit",
"local-address": "any",
"tunnel": {
"1": {
"allow-nat-networks": "disable",
"allow-public-networks": "disable",
"esp-group": "ESP-FritzBox",
"local": {
"prefix": "<LOCAL_PRIVATE_SUBNET>/24"
},
"remote": {
"prefix": "<REMOTE_PRIVATE_SUBNET>/24"
}
}
}
}
}
}
}
}
}