Side2Side VPN connection between OpenStack VPN and AVM Fritz!Box

FRITZBOX_WAN_IP=111.1.2.3
FRITZBOX_CIDR=192.168.178.0/24
OS_USER=foo
PROJECT_ID=xxxxxxxxxxxxxx
PSK=PASS1234
 
openstack vpn ike policy create ${OS_USER}-ike-aes256-sha512 \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
openstack vpn ipsec policy create ${OS_USER}-ipsec-aes256-sha512 \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
ROUTER_ID=$(openstack router list --project ${PROJECT_ID} -c ID -f value)
openstack vpn service create ${OS_USER}-vpn-service1 \
  --router ${ROUTER_ID}
 
SUBNET_ID=$(openstack subnet list --project ${PROJECT_ID} -c ID -f value)
openstack vpn endpoint group create ${OS_USER}-vpn-ep-subnet \
  --type subnet \
  --value ${SUBNET_ID}
 
openstack vpn endpoint group create ${OS_USER}-vpn-ep-cidr \
  --type cidr \
  --value ${FRITZBOX_CIDR}
 
openstack vpn ipsec site connection create ${OS_USER}-vpn-conn1 \
  --vpnservice ${OS_USER}-vpn-service1 \
  --ikepolicy ${OS_USER}-ike-aes256-sha512 \
  --ipsecpolicy ${OS_USER}-ipsec-aes256-sha512 \
  --peer-address ${FRITZBOX_WAN_IP} \
  --peer-id ${FRITZBOX_WAN_IP} \
  --psk ${PSK} \
  --local-endpoint-group ${OS_USER}-vpn-ep-subnet \

Cleanup / delete OpenStack objects

PROJECT_ID=f0f745a9c79c47fdbbdd187d728f9e41
 
# Delete VMs
openstack server list --project ${PROJECT_ID}
openstack server delete ${SERVER_ID}
 
openstack volume list --project ${PROJECT_ID}
openstack volume delete ${VOLUME_ID}
 
openstack image list --private --long | grep ${PROJECT_ID}
openstack image delete ${IMAGE_ID}
 
# Delete loadbalancer
openstack loadbalancer list --project ${PROJECT_ID}
openstack loadbalancer delete --cascade ${LOADBALANCER_ID}
 
# Delete secrets
openstack secret list
openstack secret delete ${SECRET_URL}
 
# Delete VPNs
openstack vpn ipsec site connection list --long | grep ${PROJECT_ID}
openstack vpn ipsec site connection delete ${IPSEC_SITE_CONNECTION_ID}
openstack vpn endpoint group list --long | grep ${PROJECT_ID}
openstack vpn endpoint group delete ${VPN_ENDPOINT_GROUP_ID}
openstack vpn service list --long | grep ${PROJECT_ID}
openstack vpn service delete ${VPN_SERVICE_ID}
openstack vpn ipsec policy list --long | grep ${PROJECT_ID}
openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY_ID}
openstack vpn ike policy list --long | grep ${PROJECT_ID}
openstack vpn ike policy delete ${VPN_IKE_POLICY_ID}
 
# Delete k8s
openstack coe cluster list 
 
# Delete floating ip
openstack floating ip list --project ${PROJECT_ID}
openstack floating ip delete ${FLOATING_IP}
 
# Delete router
openstack router list --project ${PROJECT_ID}

OpenStack Debug VPN connection

Find the VPN server and the relevant router UUID

# get VPN connection ID
openstack vpn ipsec site connection list | grep foo
openstack vpn ipsec site connection list --long | grep <project_id>
 
VPN_CONNECTION_ID=142dc25f-13bb-4fda-b093-edf13df98ed8
openstack vpn ipsec site connection show ${VPN_CONNECTION_ID}
 
VPN_SERVICE_ID=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -c 'VPN Service' -f value)
openstack vpn service show ${VPN_SERVICE_ID}
 
# get router ID
ROUTER_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c Router -f value)
echo "ROUTER_ID=${ROUTER_ID}"

Find the ctl Node where the active router is running

openstack port list --device-owner network:router_gateway -f value -c binding_host_id --router ${ROUTER_ID}
 
# OR run on all ctl nodes run
ip netns exec qrouter-<router_id> ip a s

Connect to that ctl node and "jump" in its neutron-l3-agent docker container

ssh ${CONTROL_NODE}
docker exec -u root -ti neutron_l3_agent bash

4. Enable file logging in strongswan configuration

Xiaomi Mi A2 Lite (daisy)

Enable USB-Debugging and unlock phone

# Connect phone to computer
Settings > About Phone > Build number > tap 7x times to become developer
Settings > Advanced > Developer Options > OEM unclocking
 
# Connect phone to Wifi
Settings > Advanced > Developer Options > USB Debugging > OK
Allow access with your computer RSA key

Unlock phone

adb devices
adb reboot bootloader
fastboot oem unlock

Boot bootloader

Power Off phone
Hold volume_down + power
 
OPTIONAL: Recovery phone with original Xiaomi image to update firmware

Flash custom image
ArrowOS download: https://get.mirror1.arrowos.net/download.php?token=oD03QRrG9umnU1Egj6VspKXNwaiIlcYSOqbfCdyP4x8WzMtT7kL2hHZFJAv5&version=arrow-11.0&variant=community&device=daisy
OpenGA apps: https://netix.dl.sourceforge.net/project/opengapps/arm64/test/20210130/open_gapps-arm64-11.0-pico-20210130-TEST.zip