If you need to add encryption on top of VXLAN, it’s possible to do so with
IPSEC through strongswan
. You’ll need to reduce the MTU by 60 bytes (IPv4)
or 80 bytes (IPv6) to handle encryption.
So with default real 1500 MTU, you need to use a MTU of 1370 (1370 + 80 (IPSEC) + 50 (VXLAN) == 1500).
Install strongswan.
apt install strongswan
Add configuration in ‘/etc/ipsec.conf’. We only need to encrypt traffic from the VXLAN UDP port 4789.
conn %default ike=aes256-sha1-modp1024! # the fastest, but reasonably secure cipher on modern HW esp=aes256-sha1! leftfirewall=yes # this is necessary when using Proxmox VE firewall rules conn output rightsubnet=%dynamic[udp/4789] right=%any type=transport authby=psk auto=route conn input leftsubnet=%dynamic[udp/4789] type=transport authby=psk auto=route
Then generate a preshared key with
openssl rand -base64 128
and copy the key in ‘/etc/ipsec.secrets’ so that the file content looks like:
: PSK <generatedbase64key>
You need to copy the PSK and the config on other nodes.