Route all external traffic via site 2 site ipsec

i never had much success with policy routes. I use a vServer (5,- €/ Month) that acts as a seperate WAN on my Home UTM which i can than apply multipath rules on. I posted a (german) manual in the astaro -> german Subforum.

I disagree with the approach in that article.  In my opinion, the better approach is to add "Internet" to the LANs  already in 'Local Networks' and in the equivalent of 'Remote Networks' in the Fritzbox.

You can't do this with policy routes, and there's no shortcut to avoid having to change the configuration in the Fritzbox.

Cheers - Bob

the other problem is that a Fritzbox will cap out at around 10 Mbit VPN Traffic, you will notice when using the same Fritzbox for VoIP that it starts to sound "funny" because it lags out. Fritzbox is the last thing i would want to use for it.

@Ben, unfortunately I wont be back to this remote location before 6 months from now on. But I will put an RED device there, when I have the chance. The Fritzbox is there now and up and running, so I would like to use it for now.

BAlfson, thanks a lot. Sounds like it could be done. Could you please detail your answer somewhat further? I can change the fritzbox config anytime - it already has the following definition:
"accesslist = "permit ip any 192.168.2.0 255.255.255.0";"
Do I need to change something here?

Regardless what I put in Site to Site - IPSec - Remote Gateway, no change. Any further suggestions?

@Bate: do you want to access the network behind the Fritzbox or just use the Fritzbox to have a german IP to surf and stream?

If you just need it to Tunnel all Traffic to a german IP endpoint, get that 5,- € / Month vServer. Best performance, Sophos on both sides (provided you use it for home)

RED Device might not do what you want. 

@Ben: As mentioned before I already do have access to the network behind the Fritzbox.

Want I want to gain in addition to that is what you were guessing correctly: an german IP adress for outgoing traffic. It would be sweet to achieve that using the existing (or updated) IPSec tunnel to the fritzbox, if possible.

'Remote networks' should include only "Internet" and any remote LANs that are not already being handled by a different tunnel.  'Local networks' in your IPsec Connection probably should include "Internal (Network)" or just the IP of the device you want to use to surf "from Germany."  The remote site needs to mirror these two settings, not copy them - i.e., "0.0.0.0/0" needs to be the local network in Germany for this tunnel.

Cheers - Bob

Hm, I think, I got everything right, but it doesnt work - all external traffic is still routed directly through my local internet connection.

'Remote networks' includes only "Internet" and the remote LAN
'Local networks' includes "Internal (Network)" .

The remote site is configured to mirror these settings: accesslist = "permit ip any 192.168.2.0 255.255.255.0"; 

"any" in the Fritzbox should be equivalent to "0.0.0.0/0".

I have no idea, where to look for reasons why it would not work - if all packets were lost in the tunnel, I would blame the other end, but that is not the case:
all external traffic is still routed directly through my local internet connection and not using the tunnel...

OK, it sounds like it's time to look at a log.  Disable the IPsec Connection, start the IPsec Live Log, enable the IPsec Connection, go to the 'Site-to-Site VPN Status' page and then show us about 50+ lines before the tunnel is green.

Cheers - Bob

Hi BAlfson,

after several frustrating hours it works now... at first I had a look at the logs myself before bothering you. It showed, that the remote network was still defined as 192.168.1.0, even though in the UTM there was no definition in IPSec for this network. So it only could come from the fritzbox...

The config file for the fritzbox vpn references this network in section

phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}}

So I changed it to

ipaddr = 0.0.0.0;
mask = 0.0.0.0;

Result: the connection would not come up with an ID error.

I also had to to change

localid { fqdn = "fritzmuc.dyn.com";} to localid { ipaddr = 169.254.1.1;} and the corresponding VPN ID in the UTM.

Before it finally worked I also disabled an additional IP Adresss that I had assigned to the internal interface. But I did not verify if this really was related to the problem. Overall testing was very frustrating and lengthy, since effects were not very reproducible. I had to disable / enable the vpn connections in the fritzbox in order to get it to work.

After these changes the UTM established a SA like this:

SA:192.168.2.0/24=184.153.a.b93.104.c.d=0.0.0.0/0 AND IT WORKED. All traffic was routed through the remote Fritzbox. I was using an german IP for all external traffic.

At this point in time, the internal fritzbox I could ping, but not use any services (e.g. Web, SIP). I did not really investigate much, but quickly found a working solution by adding another VPN connection to the Fritzbox.

So my fritzbox VPN config now has two connections, only beeing different in the above "phase2localid".

If anybody is interested, I can post the working config.