Configuration of a Libre Hosting¶

aka IPSec between OPNSense and OpenBSD

Who we are¶

Aquilenet is a non profit organisation and a "do it yourself ISP", member of a Federation of similar ISP in France called FFDN. We are netneutrality builders, helping for more freedom and building networks using and participating Libre Software.
We provide xDSL, VPN and we hope soon Fiber accesses, and a lot of services for our members (mail, nextcloud, hosting, VPS...) and for others searx, Etherpad, Pastebin, Peertube, ...

The need: create a Libre format hosting in our cool local called "la mezzanine".¶

To allow to our the members of our non-profit organisation to put the hawdware they want (like Nuc, Raspberry pi, tower, etc...) in our Libre hosting space called "la mezzanine" with a Public IPv4 and IPv6 from our ASN, we need to announce our IPs from another place than our Datacenter.

How we do¶

We have to tunnel all the network from the Libre Hosting to Internet and vice versa. We have tried first with OpenVPN but the userland application use to much ressources for needed bandwidth (200Mbps).
This IP range will be routed by IPSec to our ASN point of BGP anounce in our datacenter, then they will route them to the Libre Hosting.

From our Libre Hosting we have a OPNSense Firewall and in our datacenter 2 clustered OpenBSD.

Check this logical graphic:

• Cerbere1:

/etc/ipsec.conf

ike passive esp from any to 185.233.102.128/26 \
    peer 92.154.99.130\
    main group modp2048\
    psk "01d8fb1bd7cd1a0318cadf21ee23b32bab4107af"

flow esp from any to 185.233.102.128/26 peer 92.154.99.130
flow esp from any to 2a0c:e300:12::/48 peer 92.154.99.130

chmod 500 /etc/ipsec.conf

Lancer le tunnel:

isakmpd -K

ipsecctl -f /etc/ipsec.conf

vérifier la conf

ipsecctl -sa

sh -c "echo S > /var/run/isakmpd.fifo"

less /var/run/isakmpd.result

flux les règles ipsec:

ipsecctl -F

debug:

isakmpd -d -DA=70 -K

Ajout de la route:

route add 185.233.102.129/26 185.233.100.124

• Conf Cerbere11

\-> Configuration1: Performances¶

• AES_CBC_256/HMAC_SHA2_512_256/MODP_8192

• Cerbere11

last pid: 45038; load averages: 0.27, 0.34, 0.31 up 0+00:56:47 19:07:15

49 processes: 1 running, 48 sleeping

CPU 0: 3.9% user, 0.0% nice, 0.8% system, 3.1% interrupt, 92.1% idle

CPU 1: 1.2% user, 0.0% nice, 0.0% system, 6.3% interrupt, 92.5% idle

CPU 2: 0.4% user, 0.0% nice, 0.0% system, 21.3% interrupt, 78.3% idle

CPU 3: 5.9% user, 0.0% nice, 0.0% system, 2.4% interrupt, 91.7% idle

Mem: 109M Active, 145M Inact, 387M Wired, 152M Buf, 7214M Free

• Cerbere1

load averages: 1.18, 0.95, 0.74 cerbere1.aquilenet.fr 19:08:23

43 processes: 1 starting, 40 idle, 1 dead, 1 on processor up 3 days, 18:40 up 3 days, 19:21

CPU0 states: 0.2% user, 0.0% nice, 2.8% system, 7.4% interrupt, 89.6% idle

CPU1 states: 0.0% user, 0.0% nice, 22.4% system, 0.0% interrupt, 77.6% idle

CPU2 states: 0.0% user, 0.0% nice, 20.2% system, 0.0% interrupt, 79.8% idle

CPU3 states: 0.0% user, 0.0% nice, 10.8% system, 0.0% interrupt, 89.2% idle

Memory: Real: 584M/2111M act/tot Free: 5793M Cache: 754M Swap: 0K/8405M

• bande passante

MTU¶

Linux: ping -M do -s 1172 185.233.102.130 => OK

Linux: iperf3 -c 185.233.102.130 -M 1160 => OK

Linux: ping -M do -s 1173 185.233.102.130 => NOK

Linux: iperf3 -c 185.233.102.130 -M 1161 => NOK

• netcat qui fait un echo
  socat TCP4-LISTEN:4444,fork EXEC:cat