12.9. Notes

If you need to add encryption on top of VXLAN, it’s possible to do so with IPSEC through strongswan. You’ll need to reduce the MTU by 60 bytes (IPv4) or 80 bytes (IPv6) to handle encryption.

So with default real 1500 MTU, you need to use a MTU of 1370 (1370 + 80 (IPSEC) + 50 (VXLAN) == 1500).

Install strongswan. 

apt install strongswan

Add configuration in ‘/etc/ipsec.conf’. We only need to encrypt traffic from the VXLAN UDP port 4789.

conn %default
    ike=aes256-sha1-modp1024!  # the fastest, but reasonably secure cipher on modern HW
    esp=aes256-sha1!
    leftfirewall=yes           # this is necessary when using Proxmox VE firewall rules

conn output
    rightsubnet=%dynamic[udp/4789]
    right=%any
    type=transport
    authby=psk
    auto=route

conn input
    leftsubnet=%dynamic[udp/4789]
    type=transport
    authby=psk
    auto=route

Then generate a preshared key with

openssl rand -base64 128

and copy the key in ‘/etc/ipsec.secrets’ so that the file content looks like:

: PSK <generatedbase64key>

You need to copy the PSK and the config on other nodes.