Projet

Général

Profil

Librehosting » Historique » Version 11

sacha, 01/08/2018 19:45

1 1 sacha
# Configuration of a Libre Hosting
2
3 5 sacha
aka IPSec between OPNSense and OpenBSD to anounce our ASN IP from an indifferent ISP place. 
4 1 sacha
5
## Who we are
6
7 2 sacha
Aquilenet is a non profit organisation since 2010 and a "do it yourself ISP", member of a Federation of similar ISP in France called [FFDN](https://www.ffdn.org). We are netneutrality builders, helping for more freedom and building networks using and participating Libre Software.
8 1 sacha
We provide xDSL, VPN and we hope soon Fiber accesses, and a lot of services for our members (mail, nextcloud, hosting, VPS...) and for others [searx](https://searx.aquilenet.fr), [Etherpad](https://pad.aquilenet.fr), [Pastebin](https://pastebin.aquilenet.fr), [Peertube](https://tube.aquilenet.fr), ...
9
10
## The need: create a Libre format hosting in our cool local called "la mezzanine".
11
12
To allow to our the members of our non-profit organisation to put the hawdware they want (like Nuc, Raspberry pi, tower, etc...) in our Libre hosting space called "la mezzanine" with a Public IPv4 and IPv6 from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), we need to announce our IPs from another place than our Datacenter.
13
14
## How we do
15
16
We have to tunnel all the network from the Libre Hosting to Internet and vice versa. We have tried first with OpenVPN but the userland application use to much ressources for needed bandwidth (200Mbps).
17
This IP range will be routed by IPSec to our ASN point of BGP anounce in our datacenter, then they will route them to the Libre Hosting.
18
19
From our Libre Hosting we have a OPNSense Firewall and in our datacenter 2 clustered OpenBSD.
20
21 6 sacha
A scheme to explain this:
22 1 sacha
23 11 sacha
![](https://atelier.aquilenet.fr/attachments/download/550/Aquilenet-IPSec-Logical_Scheme.png)
24 1 sacha
25 3 sacha
### OpenBSD configuration
26
27
We configure the OpenBSD's IPSec configuration file for 2 Phase 2 tunnels one for IPv4 another on for IPv6
28
29 1 sacha
/etc/ipsec.conf
30
31
~~~
32 3 sacha
ike passive esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 \
33
    peer $OPSense_Public_IP\
34 1 sacha
    main group modp2048\
35 3 sacha
    psk "mysupersecurepass"
36 1 sacha
37 3 sacha
flow esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 peer $OPSense_Public_IP
38
flow esp from any to $LIBRE_HOSTING_PUB_IP_V6/48 peer $OPSense_Public_IP
39 1 sacha
~~~
40
41 7 sacha
~~~
42
chmod 500 /etc/ipsec.conf
43
~~~
44 1 sacha
45
Launch the tunnel:
46
47 7 sacha
~~~
48
isakmpd -K  
49
ipsecctl -f /etc/ipsec.conf
50
~~~
51 1 sacha
52 9 sacha
To make it permanent add this to /etc/rc.conf.local:
53 4 sacha
54 3 sacha
~~~
55 1 sacha
isakmpd_flags="-K"
56
ipsec_rules=/etc/ipsec.conf
57
ipsec=YES
58
~~~
59
60 7 sacha
check the configuration:
61 1 sacha
62 7 sacha
~~~
63
ipsecctl -sa 
64
~~~
65
66 8 sacha
Enable some logs on Isakmpd:
67
68 7 sacha
~~~
69 5 sacha
sh -c "echo S \> /var/run/isakmpd.fifo"  
70 1 sacha
less /var/run/isakmpd.result
71
~~~
72
73 8 sacha
and:
74 1 sacha
75 8 sacha
~~~
76 1 sacha
isakmpd -d -DA=70 -K
77 8 sacha
~~~
78 1 sacha
79 8 sacha
Check IPSec Flows:
80 1 sacha
81 8 sacha
~~~
82 1 sacha
ipsecctl -F
83 8 sacha
~~~
84
85 9 sacha
## OPNSense configuration
86 1 sacha
87
![](IPSec-Phase2_Conf1.png) ![](IPSec-Phase1_Conf1.png)
88
89
### \\-\> Configuration1: Performances
90
91
  - AES\_CBC\_256/HMAC\_SHA2\_512\_256/MODP\_8192
92
93
  - Cerbere11
94
95
last pid: 45038; load averages: 0.27, 0.34, 0.31 up 0+00:56:47 19:07:15  
96
49 processes: 1 running, 48 sleeping  
97
CPU 0: 3.9% user, 0.0% nice, 0.8% system, 3.1% interrupt, 92.1% idle  
98
CPU 1: 1.2% user, 0.0% nice, 0.0% system, 6.3% interrupt, 92.5% idle  
99
CPU 2: 0.4% user, 0.0% nice, 0.0% system, 21.3% interrupt, 78.3% idle  
100
CPU 3: 5.9% user, 0.0% nice, 0.0% system, 2.4% interrupt, 91.7% idle  
101
Mem: 109M Active, 145M Inact, 387M Wired, 152M Buf, 7214M Free
102
103
  - Cerbere1
104
105
load averages: 1.18, 0.95, 0.74 cerbere1.aquilenet.fr 19:08:23  
106
43 processes: 1 starting, 40 idle, 1 dead, 1 on processor up 3 days, 18:40 up 3 days, 19:21  
107
CPU0 states: 0.2% user, 0.0% nice, 2.8% system, 7.4% interrupt, 89.6% idle  
108
CPU1 states: 0.0% user, 0.0% nice, 22.4% system, 0.0% interrupt, 77.6% idle  
109
CPU2 states: 0.0% user, 0.0% nice, 20.2% system, 0.0% interrupt, 79.8% idle  
110
CPU3 states: 0.0% user, 0.0% nice, 10.8% system, 0.0% interrupt, 89.2% idle  
111
Memory: Real: 584M/2111M act/tot Free: 5793M Cache: 754M Swap: 0K/8405M
112
113
  - bande passante
114
115
![](IPSec_BW1.png)
116
117
### MTU
118
119
Linux: ping -M do -s 1172 185.233.102.130 =\> OK  
120
Linux: iperf3 -c 185.233.102.130 -M 1160 =\> OK  
121
Linux: ping -M do -s 1173 185.233.102.130 =\> NOK  
122
Linux: iperf3 -c 185.233.102.130 -M 1161 =\> NOK
123
124
  - netcat qui fait un echo  
125
    socat TCP4-LISTEN:4444,fork EXEC:cat