Last active
May 21, 2025 16:01
-
-
Save paigeadelethompson/53c2818532150b298c36597c0906015e to your computer and use it in GitHub Desktop.
All of my IPSEC VPN setup (Racoon & StrongSWAN)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| path certificate "/usr/local/etc/racoon/certs"; | |
| remote 192.168.1.128 { | |
| exchange_mode main; | |
| my_identifier asn1dn; | |
| peers_identifier asn1dn; | |
| certificate_type x509 "zima.netcrave.io.crt" "zima.netcrave.io.key"; | |
| peers_certfile x509 "stelleri.netcrave.io.crt"; | |
| ca_type x509 "ca.crt"; | |
| verify_cert on; | |
| proposal { | |
| encryption_algorithm aes; | |
| hash_algorithm sha256; | |
| authentication_method rsasig; | |
| dh_group 14; | |
| } | |
| } | |
| sainfo anonymous { | |
| pfs_group 14; | |
| lifetime time 1 hour; | |
| encryption_algorithm aes; | |
| authentication_algorithm hmac_sha256; | |
| compression_algorithm deflate; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # log debug2; | |
| path certificate "/usr/local/etc/racoon/certs"; | |
| remote 192.168.1.156 { | |
| exchange_mode main; | |
| my_identifier asn1dn; | |
| peers_identifier asn1dn; | |
| certificate_type x509 "stelleri.netcrave.io.crt" "stelleri.netcrave.io.key"; | |
| peers_certfile x509 "zima.netcrave.io.crt"; | |
| ca_type x509 "ca.crt"; | |
| verify_cert on; | |
| proposal { | |
| encryption_algorithm aes; | |
| hash_algorithm sha256; | |
| authentication_method rsasig; | |
| dh_group 14; | |
| } | |
| } | |
| remote 192.168.1.13 { | |
| exchange_mode main; | |
| my_identifier asn1dn; | |
| peers_identifier asn1dn; | |
| certificate_type x509 "stelleri.netcrave.io.crt" "stelleri.netcrave.io.key"; | |
| peers_certfile x509 "smol.netcrave.io.crt"; | |
| ca_type x509 "ca.crt"; | |
| verify_cert on; | |
| proposal { | |
| encryption_algorithm aes; | |
| hash_algorithm sha256; | |
| authentication_method rsasig; | |
| dh_group 14; | |
| } | |
| } | |
| sainfo address 192.168.1.128 any address 192.168.1.156 any { | |
| pfs_group 14; | |
| lifetime time 1 hour; | |
| encryption_algorithm aes; | |
| authentication_algorithm hmac_sha256; | |
| compression_algorithm deflate; | |
| } | |
| sainfo address 192.168.1.128 any address 192.168.1.13 any { | |
| pfs_group 14; | |
| lifetime time 1 hour; | |
| encryption_algorithm aes256; | |
| authentication_algorithm hmac_sha256; | |
| compression_algorithm deflate; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ipsec_enable=YES | |
| ipsec_program="/usr/local/sbin/setkey" | |
| ipsec_file="/usr/local/etc/racoon/setkey.conf" | |
| racoon_enable=YES | |
| ifconfig_gif0="inet 192.0.0.0 192.0.0.1 tunnel 192.168.1.156 192.168.1.128 fib 20 tunnelfib 0" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ipsec_enable=YES | |
| ipsec_program="/usr/local/sbin/setkey" | |
| ipsec_file="/usr/local/etc/racoon/setkey.conf" | |
| racoon_enable=YES | |
| ifconfig_gif0="inet 192.0.0.1 192.0.0.0 tunnel 192.168.1.128 192.168.1.156 fib 20 tunnelfib 0" | |
| ifconfig_gif1="inet 192.0.0.1 192.0.0.0 tunnel 192.168.1.128 192.168.1.13 fib 21 tunnelfib 0" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flush; | |
| spdflush; | |
| spdadd 192.168.1.156 192.168.1.128 any -P out ipsec | |
| esp/transport//require ah/transport//require; | |
| spdadd 192.168.1.128 192.168.1.156 any -P in ipsec | |
| esp/transport//require ah/transport//require; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flush; | |
| spdflush; | |
| spdadd 192.168.1.128 192.168.1.156 any -P out ipsec | |
| esp/transport//require ah/transport//require; | |
| spdadd 192.168.1.156 192.168.1.128 any -P in ipsec | |
| esp/transport//require ah/transport//require; | |
| spdadd 192.168.1.128 192.168.1.13 any -P out ipsec | |
| esp/transport//require; | |
| spdadd 192.168.1.13 192.168.1.128 any -P in ipsec | |
| esp/transport//require; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| connections { | |
| netcrave { | |
| local_addrs = 192.168.1.13 | |
| remote_addrs = 192.168.1.128 | |
| proposals = aes256-sha256-modp2048-modp3072 | |
| fragmentation = no | |
| send_cert = ifasked | |
| local { | |
| auth = rsa | |
| certs = smol.netcrave.io.crt | |
| } | |
| remote { | |
| auth = rsa | |
| certs = stelleri.netcrave.io.crt | |
| id = "CN=stelleri.netcrave.io" | |
| } | |
| children { | |
| stelleri { | |
| esp_proposals = aes256-sha256-modp2048,default | |
| start_action = start | |
| local_ts = dynamic | |
| remote_ts = dynamic | |
| ipcomp = no | |
| mode = transport | |
| life_time = 3600 | |
| } | |
| } | |
| version = 1 | |
| } | |
| } | |
| secrets { | |
| smol { | |
| file = smol.netcrave.io.key | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.