Last active
May 21, 2025 16:01
-
-
Save paigeadelethompson/53c2818532150b298c36597c0906015e to your computer and use it in GitHub Desktop.
All of my IPSEC VPN setup (Racoon & StrongSWAN)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| path certificate "/usr/local/etc/racoon/certs"; | |
| remote 192.168.1.128 { | |
| exchange_mode main; | |
| my_identifier asn1dn; | |
| peers_identifier asn1dn; | |
| certificate_type x509 "zima.netcrave.io.crt" "zima.netcrave.io.key"; | |
| peers_certfile x509 "stelleri.netcrave.io.crt"; | |
| ca_type x509 "ca.crt"; | |
| verify_cert on; | |
| proposal { | |
| encryption_algorithm aes; | |
| hash_algorithm sha256; | |
| authentication_method rsasig; | |
| dh_group 14; | |
| } | |
| } | |
| sainfo anonymous { | |
| pfs_group 14; | |
| lifetime time 1 hour; | |
| encryption_algorithm aes; | |
| authentication_algorithm hmac_sha256; | |
| compression_algorithm deflate; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # log debug2; | |
| path certificate "/usr/local/etc/racoon/certs"; | |
| remote 192.168.1.156 { | |
| exchange_mode main; | |
| my_identifier asn1dn; | |
| peers_identifier asn1dn; | |
| certificate_type x509 "stelleri.netcrave.io.crt" "stelleri.netcrave.io.key"; | |
| peers_certfile x509 "zima.netcrave.io.crt"; | |
| ca_type x509 "ca.crt"; | |
| verify_cert on; | |
| proposal { | |
| encryption_algorithm aes; | |
| hash_algorithm sha256; | |
| authentication_method rsasig; | |
| dh_group 14; | |
| } | |
| } | |
| remote 192.168.1.13 { | |
| exchange_mode main; | |
| my_identifier asn1dn; | |
| peers_identifier asn1dn; | |
| certificate_type x509 "stelleri.netcrave.io.crt" "stelleri.netcrave.io.key"; | |
| peers_certfile x509 "smol.netcrave.io.crt"; | |
| ca_type x509 "ca.crt"; | |
| verify_cert on; | |
| proposal { | |
| encryption_algorithm aes; | |
| hash_algorithm sha256; | |
| authentication_method rsasig; | |
| dh_group 14; | |
| } | |
| } | |
| sainfo address 192.168.1.128 any address 192.168.1.156 any { | |
| pfs_group 14; | |
| lifetime time 1 hour; | |
| encryption_algorithm aes; | |
| authentication_algorithm hmac_sha256; | |
| compression_algorithm deflate; | |
| } | |
| sainfo address 192.168.1.128 any address 192.168.1.13 any { | |
| pfs_group 14; | |
| lifetime time 1 hour; | |
| encryption_algorithm aes256; | |
| authentication_algorithm hmac_sha256; | |
| compression_algorithm deflate; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ipsec_enable=YES | |
| ipsec_program="/usr/local/sbin/setkey" | |
| ipsec_file="/usr/local/etc/racoon/setkey.conf" | |
| racoon_enable=YES | |
| ifconfig_gif0="inet 192.0.0.0 192.0.0.1 tunnel 192.168.1.156 192.168.1.128 fib 20 tunnelfib 0" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ipsec_enable=YES | |
| ipsec_program="/usr/local/sbin/setkey" | |
| ipsec_file="/usr/local/etc/racoon/setkey.conf" | |
| racoon_enable=YES | |
| ifconfig_gif0="inet 192.0.0.1 192.0.0.0 tunnel 192.168.1.128 192.168.1.156 fib 20 tunnelfib 0" | |
| ifconfig_gif1="inet 192.0.0.1 192.0.0.0 tunnel 192.168.1.128 192.168.1.13 fib 21 tunnelfib 0" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flush; | |
| spdflush; | |
| spdadd 192.168.1.156 192.168.1.128 any -P out ipsec | |
| esp/transport//require ah/transport//require; | |
| spdadd 192.168.1.128 192.168.1.156 any -P in ipsec | |
| esp/transport//require ah/transport//require; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flush; | |
| spdflush; | |
| spdadd 192.168.1.128 192.168.1.156 any -P out ipsec | |
| esp/transport//require ah/transport//require; | |
| spdadd 192.168.1.156 192.168.1.128 any -P in ipsec | |
| esp/transport//require ah/transport//require; | |
| spdadd 192.168.1.128 192.168.1.13 any -P out ipsec | |
| esp/transport//require; | |
| spdadd 192.168.1.13 192.168.1.128 any -P in ipsec | |
| esp/transport//require; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| connections { | |
| netcrave { | |
| local_addrs = 192.168.1.13 | |
| remote_addrs = 192.168.1.128 | |
| proposals = aes256-sha256-modp2048-modp3072 | |
| fragmentation = no | |
| send_cert = ifasked | |
| local { | |
| auth = rsa | |
| certs = smol.netcrave.io.crt | |
| } | |
| remote { | |
| auth = rsa | |
| certs = stelleri.netcrave.io.crt | |
| id = "CN=stelleri.netcrave.io" | |
| } | |
| children { | |
| stelleri { | |
| esp_proposals = aes256-sha256-modp2048,default | |
| start_action = start | |
| local_ts = dynamic | |
| remote_ts = dynamic | |
| ipcomp = no | |
| mode = transport | |
| life_time = 3600 | |
| } | |
| } | |
| version = 1 | |
| } | |
| } | |
| secrets { | |
| smol { | |
| file = smol.netcrave.io.key | |
| } | |
| } |
Getting VXLAN to work between host 2 and host 1, on host 2:
ifconfig ix1 mtu 9000
ifconfig gif0 mtu 2200
ifconfig vxlan create vxlanid 20 vxlanlocal 192.0.0.1 vxlanremote 192.0.0.0 inet 10.10.99.2/24 fib 20 tunnelfib 20 mtu 1500
host 1:
ifconfig wlan0 mtu 2290
ifconfig gif0 mtu 2200
ifconfig vxlan create vxlanid 20 vxlanlocal 192.0.0.0 vxlanremote 192.0.0.1 inet 10.10.99.1/24 fib 20 tunnelfib 20 mtu 1500
from host1:
setfib -F 20 ping 10.10.99.2
PING 10.10.99.2 (10.10.99.2): 56 data bytes
64 bytes from 10.10.99.2: icmp_seq=0 ttl=64 time=2.867 ms
64 bytes from 10.10.99.2: icmp_seq=1 ttl=64 time=2.877 ms
^C
--- 10.10.99.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.867/2.872/2.877/0.005 ms
on host 2:
➜ stelleri tcpdump -vvv -n -e -ttt -i ix1 src net 192.168.1.156
tcpdump: listening on ix1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:00:00.000000 54:c9:df:5a:fd:07 > 98:b7:85:1e:de:4e, ethertype IPv4 (0x0800), length 246: (tos 0x0, ttl 30, id 37456, offset 0, flags [none], proto AH (51), length 232)
192.168.1.156 > 192.168.1.128: AH(length=5(28-bytes),spi=0x0e03209e,seq=0x244,icv=0x308f9094fd835105ce2538488182a04a): ESP(spi=0x04ca9a19,seq=0x244), length 184
00:00:01.034722 54:c9:df:5a:fd:07 > 98:b7:85:1e:de:4e, ethertype IPv4 (0x0800), length 246: (tos 0x0, ttl 30, id 16706, offset 0, flags [none], proto AH (51), length 232)
192.168.1.156 > 192.168.1.128: AH(length=5(28-bytes),spi=0x0e03209e,seq=0x245,icv=0xdd12ad848f5356003b65bd5a8c42c273): ESP(spi=0x04ca9a19,seq=0x245), length 184
➜ stelleri tcpdump -vvv -n -e -ttt -i vxlan0
tcpdump: listening on vxlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:00:00.000000 58:9c:fc:10:ff:db > 58:9c:fc:10:ff:d7, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 23631, offset 0, flags [none], proto ICMP (1), length 84)
10.10.99.1 > 10.10.99.2: ICMP echo request, id 7243, seq 66, length 64
00:00:00.000030 58:9c:fc:10:ff:d7 > 58:9c:fc:10:ff:db, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 171, offset 0, flags [none], proto ICMP (1), length 84)
10.10.99.2 > 10.10.99.1: ICMP echo reply, id 7243, seq 66, length 64
appears to be working correctly, tunnelfib has to be set otherwise it apparently defaults to 0 I think?
also to prove layer 2 over tunnel is working, from host 1:
...
Interface: vxlan0, via: LLDP, RID: 5, Time: 0 day, 00:19:13
Chassis:
ChassisID: mac 98:b7:85:1e:de:4d
SysName: stelleri.netcrave.network
SysDescr: FreeBSD 14.2-RELEASE-p3 FreeBSD 14.2-RELEASE-p3 FreeBSD 14.2-RELEASE-p3 n269524-1eb03b059e56 STELLERI amd64
MgmtIP: 192.168.1.128
MgmtIface: 2
MgmtIP: fe80::1
MgmtIface: 5
Capability: Bridge, on
Capability: Router, on
Capability: Wlan, off
Capability: Station, off
Port:
PortID: mac 58:9c:fc:10:ff:d7
PortDescr: vxlan0
TTL: 120
PMD autoneg: supported: yes, enabled: yes
MAU oper type: unknown
nmcli connection modify DaWiFi ethernet.mtu 2304
nmcli connection modify gif0 ethernet.mtu 2200
nmcli connection add type vxlan ifname vxlan0 id 21 local 192.0.0.1 remote 192.0.0.0
nmcli connection modify vxlan-vxlan0 ipv4.addresses '192.168.96.130/25'
nmcli connection modify vxlan-vxlan0 ipv4.method manual
nmcli connection modify vxlan-vxlan0 vxlan.destination-port 4789
nmcli connection modify vxlan-vxlan0 ethernet.mtu 1280
nmcli connection down vxlan-vxlan0
nmcli connection up vxlan-vxlan0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On Linux laptop: