Athar

deployment of ipsec LAN coupling VPN between frtizbox and VPS server (Linux)

Jun 2026 - Jun 2026 • 0 mos

Successfully Deployed and Migrated a Production FRITZ!Box ↔ StrongSwan IPsec VPN Behind a 4G CGNAT Network Recently I completed a challenging networking project involving a FRITZ!Box connected through a 4G mobile network operating behind Carrier-Grade NAT (CGNAT), with a StrongSwan VPN gateway hosted on a Linux VPS. Environment • FRITZ!Box router • 4G LTE modem connection • Mobile provider using CGNAT • Linux VPS with public IP • StrongSwan IPsec VPN • IKEv1 Aggressive Mode • NAT Traversal (UDP 500/4500) • Full Internet Traffic Tunnel (0.0.0.0/0) Challenges • Establishing a stable VPN from a CGNAT environment • Handling NAT-T and IPsec encapsulation • Diagnosing intermittent tunnel behavior • Verifying IKE and ESP packet flow • Migrating configuration to a new production VPS • Preserving existing websites and services hosted on the server • Avoiding conflicts with production ports (80/443) • Implementing secure remote access to the FRITZ!Box management interface Troubleshooting Process • Packet captures using tcpdump • Analysis of IKE negotiations and ESP traffic • Validation of Security Associations (SAs) • Verification of routing tables and traffic selectors • Inspection of firewall policies and forwarding rules • NAT and MASQUERADE configuration validation • Testing end-to-end internet routing through the VPN tunnel Results Stable IPsec tunnel established through a 4G CGNAT connection Full internet traffic successfully routed through the VPS VPN migration completed without impacting production websites Secure remote access to FRITZ!Box management achieved through controlled NAT forwarding on a dedicated port End-to-end connectivity verified using traceroute, packet captures, and live traffic monitoring 💡 Key Takeaway A VPN tunnel showing "ESTABLISHED" does not guarantee working connectivity. Successful deployments require validation of: • Routing • NAT • Forwarding • Firewall policies • Traffic selectors • Application accessibility

Designed and implemented a dual-homed enterprise edge using BGP

May 2026 - May 2026 • 0 mos

Designed and implemented a dual-homed enterprise edge using BGP with full redundancy and policy-based routing. Technical Highlights: >eBGP peering with dual ISPs (Primary/Backup) >iBGP between core routers using proper next-hop handling >HSRP for first-hop redundancy (Active/Standby with preemption) >IP SLA + object tracking for intelligent failover (not just link-state) BGP Engineering: >Local Preference used to control outbound path (ISP1 preferred) >AS-Path Prepending applied for inbound traffic influence >Default route learned and propagated via BGP >Verified RIB vs BGP table behavior and resolved next-hop reachability Failure Testing: Simulated ISP failure → automatic failover via HSRP + BGP convergence Traffic restored seamlessly after recovery

Implemented a centralized email management system

May 2026 - May 2026 • 0 mos

Implemented a centralized email management system All external emails are collected in a shared mailbox Automatically routed to the correct Teams channel for immediate action Ensures organized, secure, and audit-ready correspondence with clients, regulators, banks, and government This approach saves time, reduces manual work, and ensures nothing gets missed — keeping our communication with external parties seamless and professional.