Skip to content

Instantly share code, notes, and snippets.

@paigeadelethompson

paigeadelethompson/racoon.host1.conf

Last active May 21, 2025 16:01
Show Gist options
  • Save paigeadelethompson/53c2818532150b298c36597c0906015e to your computer and use it in GitHub Desktop.
Save paigeadelethompson/53c2818532150b298c36597c0906015e to your computer and use it in GitHub Desktop.
Download ZIP
All of my IPSEC VPN setup (Racoon & StrongSWAN)
Raw
racoon.host1.conf
path certificate "/usr/local/etc/racoon/certs";
remote 192.168.1.128 {
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "zima.netcrave.io.crt" "zima.netcrave.io.key";
peers_certfile x509 "stelleri.netcrave.io.crt";
ca_type x509 "ca.crt";
verify_cert on;
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method rsasig;
dh_group 14;
}
}
sainfo anonymous {
pfs_group 14;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}
Raw
racoon.host2.conf
# log debug2;
path certificate "/usr/local/etc/racoon/certs";
remote 192.168.1.156 {
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "stelleri.netcrave.io.crt" "stelleri.netcrave.io.key";
peers_certfile x509 "zima.netcrave.io.crt";
ca_type x509 "ca.crt";
verify_cert on;
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method rsasig;
dh_group 14;
}
}
remote 192.168.1.13 {
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "stelleri.netcrave.io.crt" "stelleri.netcrave.io.key";
peers_certfile x509 "smol.netcrave.io.crt";
ca_type x509 "ca.crt";
verify_cert on;
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method rsasig;
dh_group 14;
}
}
sainfo address 192.168.1.128 any address 192.168.1.156 any {
pfs_group 14;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}
sainfo address 192.168.1.128 any address 192.168.1.13 any {
pfs_group 14;
lifetime time 1 hour;
encryption_algorithm aes256;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}
Raw
rc.host1.conf
ipsec_enable=YES
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable=YES
ifconfig_gif0="inet 192.0.0.0 192.0.0.1 tunnel 192.168.1.156 192.168.1.128 fib 20 tunnelfib 0"
Raw
rc.host2.conf
ipsec_enable=YES
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable=YES
ifconfig_gif0="inet 192.0.0.1 192.0.0.0 tunnel 192.168.1.128 192.168.1.156 fib 20 tunnelfib 0"
ifconfig_gif1="inet 192.0.0.1 192.0.0.0 tunnel 192.168.1.128 192.168.1.13 fib 21 tunnelfib 0"
Raw
setkey.host1.conf
flush;
spdflush;
spdadd 192.168.1.156 192.168.1.128 any -P out ipsec
esp/transport//require ah/transport//require;
spdadd 192.168.1.128 192.168.1.156 any -P in ipsec
esp/transport//require ah/transport//require;
Raw
setkey.host2.conf
flush;
spdflush;
spdadd 192.168.1.128 192.168.1.156 any -P out ipsec
esp/transport//require ah/transport//require;
spdadd 192.168.1.156 192.168.1.128 any -P in ipsec
esp/transport//require ah/transport//require;
spdadd 192.168.1.128 192.168.1.13 any -P out ipsec
esp/transport//require;
spdadd 192.168.1.13 192.168.1.128 any -P in ipsec
esp/transport//require;
Raw
swanctl.conf.d.laptop.conf
connections {
netcrave {
local_addrs = 192.168.1.13
remote_addrs = 192.168.1.128
proposals = aes256-sha256-modp2048-modp3072
fragmentation = no
send_cert = ifasked
local {
auth = rsa
certs = smol.netcrave.io.crt
}
remote {
auth = rsa
certs = stelleri.netcrave.io.crt
id = "CN=stelleri.netcrave.io"
}
children {
stelleri {
esp_proposals = aes256-sha256-modp2048,default
start_action = start
local_ts = dynamic
remote_ts = dynamic
ipcomp = no
mode = transport
life_time = 3600
}
}
version = 1
}
}
secrets {
smol {
file = smol.netcrave.io.key
}
}
@paigeadelethompson
Copy link
Author

paigeadelethompson commented May 21, 2025
edited
Loading

Getting VXLAN to work between host 2 and host 1, on host 2:

ifconfig ix1 mtu 9000
ifconfig gif0 mtu 2200
ifconfig vxlan create vxlanid 20 vxlanlocal 192.0.0.1 vxlanremote 192.0.0.0 inet 10.10.99.2/24 fib 20 tunnelfib 20 mtu 1500

host 1:

ifconfig wlan0 mtu 2290
ifconfig gif0 mtu 2200
ifconfig vxlan create vxlanid 20 vxlanlocal 192.0.0.0 vxlanremote 192.0.0.1 inet 10.10.99.1/24 fib 20 tunnelfib 20 mtu 1500

from host1:

setfib -F 20 ping 10.10.99.2
PING 10.10.99.2 (10.10.99.2): 56 data bytes
64 bytes from 10.10.99.2: icmp_seq=0 ttl=64 time=2.867 ms
64 bytes from 10.10.99.2: icmp_seq=1 ttl=64 time=2.877 ms
^C
--- 10.10.99.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.867/2.872/2.877/0.005 ms

on host 2:

➜  stelleri tcpdump -vvv -n -e -ttt -i ix1 src net 192.168.1.156                                                          
tcpdump: listening on ix1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 54:c9:df:5a:fd:07 > 98:b7:85:1e:de:4e, ethertype IPv4 (0x0800), length 246: (tos 0x0, ttl 30, id 37456, offset 0, flags [none], proto AH (51), length 232)
    192.168.1.156 > 192.168.1.128: AH(length=5(28-bytes),spi=0x0e03209e,seq=0x244,icv=0x308f9094fd835105ce2538488182a04a): ESP(spi=0x04ca9a19,seq=0x244), length 184
 00:00:01.034722 54:c9:df:5a:fd:07 > 98:b7:85:1e:de:4e, ethertype IPv4 (0x0800), length 246: (tos 0x0, ttl 30, id 16706, offset 0, flags [none], proto AH (51), length 232)
    192.168.1.156 > 192.168.1.128: AH(length=5(28-bytes),spi=0x0e03209e,seq=0x245,icv=0xdd12ad848f5356003b65bd5a8c42c273): ESP(spi=0x04ca9a19,seq=0x245), length 184
    
➜  stelleri tcpdump -vvv -n -e -ttt -i vxlan0                   
tcpdump: listening on vxlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 58:9c:fc:10:ff:db > 58:9c:fc:10:ff:d7, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 23631, offset 0, flags [none], proto ICMP (1), length 84)
    10.10.99.1 > 10.10.99.2: ICMP echo request, id 7243, seq 66, length 64
 00:00:00.000030 58:9c:fc:10:ff:d7 > 58:9c:fc:10:ff:db, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 171, offset 0, flags [none], proto ICMP (1), length 84)
    10.10.99.2 > 10.10.99.1: ICMP echo reply, id 7243, seq 66, length 64

appears to be working correctly, tunnelfib has to be set otherwise it apparently defaults to 0 I think?

also to prove layer 2 over tunnel is working, from host 1:

...
Interface:    vxlan0, via: LLDP, RID: 5, Time: 0 day, 00:19:13
  Chassis:     
    ChassisID:    mac 98:b7:85:1e:de:4d
    SysName:      stelleri.netcrave.network
    SysDescr:     FreeBSD 14.2-RELEASE-p3 FreeBSD 14.2-RELEASE-p3 FreeBSD 14.2-RELEASE-p3 n269524-1eb03b059e56 STELLERI amd64
    MgmtIP:       192.168.1.128
    MgmtIface:    2
    MgmtIP:       fe80::1
    MgmtIface:    5
    Capability:   Bridge, on
    Capability:   Router, on
    Capability:   Wlan, off
    Capability:   Station, off
  Port:        
    PortID:       mac 58:9c:fc:10:ff:d7
    PortDescr:    vxlan0
    TTL:          120
    PMD autoneg:  supported: yes, enabled: yes
      MAU oper type: unknown

@paigeadelethompson
Copy link
Author

paigeadelethompson commented May 21, 2025
edited
Loading 

nmcli connection modify DaWiFi ethernet.mtu 2304
nmcli connection modify gif0 ethernet.mtu 2200
nmcli connection add type vxlan ifname vxlan0 id 21 local 192.0.0.1 remote 192.0.0.0
nmcli connection modify vxlan-vxlan0 ipv4.addresses '192.168.96.130/25'    
nmcli connection modify vxlan-vxlan0 ipv4.method manual
nmcli connection modify vxlan-vxlan0 vxlan.destination-port 4789
nmcli connection modify vxlan-vxlan0 ethernet.mtu 1280
nmcli connection down vxlan-vxlan0     
nmcli connection up vxlan-vxlan0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment