Projet

Général

Profil

Librehosting » Historique » Révision 11

Révision 10 (sacha, 01/08/2018 19:35) → Révision 11/44 (sacha, 01/08/2018 19:45)

# Configuration of a Libre Hosting 

 aka IPSec between OPNSense and OpenBSD to anounce our ASN IP from an indifferent ISP place.  

 ## Who we are 

 Aquilenet is a non profit organisation since 2010 and a "do it yourself ISP", member of a Federation of similar ISP in France called [FFDN](https://www.ffdn.org). We are netneutrality builders, helping for more freedom and building networks using and participating Libre Software. 
 We provide xDSL, VPN and we hope soon Fiber accesses, and a lot of services for our members (mail, nextcloud, hosting, VPS...) and for others [searx](https://searx.aquilenet.fr), [Etherpad](https://pad.aquilenet.fr), [Pastebin](https://pastebin.aquilenet.fr), [Peertube](https://tube.aquilenet.fr), ... 

 ## The need: create a Libre format hosting in our cool local called "la mezzanine". 

 To allow to our the members of our non-profit organisation to put the hawdware they want (like Nuc, Raspberry pi, tower, etc...) in our Libre hosting space called "la mezzanine" with a Public IPv4 and IPv6 from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), we need to announce our IPs from another place than our Datacenter. 

 ## How we do 

 We have to tunnel all the network from the Libre Hosting to Internet and vice versa. We have tried first with OpenVPN but the userland application use to much ressources for needed bandwidth (200Mbps). 
 This IP range will be routed by IPSec to our ASN point of BGP anounce in our datacenter, then they will route them to the Libre Hosting. 

 From our Libre Hosting we have a OPNSense Firewall and in our datacenter 2 clustered OpenBSD. 

 A scheme to explain this: 

 ![](https://atelier.aquilenet.fr/attachments/download/550/Aquilenet-IPSec-Logical_Scheme.png) ![](https://atelier.aquilenet.fr/attachments/download/549/Aquilenet-IPSec-Logical_Scheme.svg) 

 ### OpenBSD configuration 

 We configure the OpenBSD's IPSec configuration file for 2 Phase 2 tunnels one for IPv4 another on for IPv6 

 /etc/ipsec.conf 

 ~~~ 
 ike passive esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 \ 
     peer $OPSense_Public_IP\ 
     main group modp2048\ 
     psk "mysupersecurepass" 

 flow esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 peer $OPSense_Public_IP 
 flow esp from any to $LIBRE_HOSTING_PUB_IP_V6/48 peer $OPSense_Public_IP 
 ~~~ 

 ~~~ 
 chmod 500 /etc/ipsec.conf 
 ~~~ 

 Launch the tunnel: 

 ~~~ 
 isakmpd -K   
 ipsecctl -f /etc/ipsec.conf 
 ~~~ 

 To make it permanent add this to /etc/rc.conf.local: 

 ~~~ 
 isakmpd_flags="-K" 
 ipsec_rules=/etc/ipsec.conf 
 ipsec=YES 
 ~~~ 

 check the configuration: 

 ~~~ 
 ipsecctl -sa  
 ~~~ 

 Enable some logs on Isakmpd: 

 ~~~ 
 sh -c "echo S \> /var/run/isakmpd.fifo"   
 less /var/run/isakmpd.result 
 ~~~ 

 and: 

 ~~~ 
 isakmpd -d -DA=70 -K 
 ~~~ 

 Check IPSec Flows: 

 ~~~ 
 ipsecctl -F 
 ~~~ 

 ## OPNSense configuration 

 ![](IPSec-Phase2_Conf1.png) ![](IPSec-Phase1_Conf1.png) 

 ### \\-\> Configuration1: Performances 

   - AES\_CBC\_256/HMAC\_SHA2\_512\_256/MODP\_8192 

   - Cerbere11 

 last pid: 45038; load averages: 0.27, 0.34, 0.31 up 0+00:56:47 19:07:15   
 49 processes: 1 running, 48 sleeping   
 CPU 0: 3.9% user, 0.0% nice, 0.8% system, 3.1% interrupt, 92.1% idle   
 CPU 1: 1.2% user, 0.0% nice, 0.0% system, 6.3% interrupt, 92.5% idle   
 CPU 2: 0.4% user, 0.0% nice, 0.0% system, 21.3% interrupt, 78.3% idle   
 CPU 3: 5.9% user, 0.0% nice, 0.0% system, 2.4% interrupt, 91.7% idle   
 Mem: 109M Active, 145M Inact, 387M Wired, 152M Buf, 7214M Free 

   - Cerbere1 

 load averages: 1.18, 0.95, 0.74 cerbere1.aquilenet.fr 19:08:23   
 43 processes: 1 starting, 40 idle, 1 dead, 1 on processor up 3 days, 18:40 up 3 days, 19:21   
 CPU0 states: 0.2% user, 0.0% nice, 2.8% system, 7.4% interrupt, 89.6% idle   
 CPU1 states: 0.0% user, 0.0% nice, 22.4% system, 0.0% interrupt, 77.6% idle   
 CPU2 states: 0.0% user, 0.0% nice, 20.2% system, 0.0% interrupt, 79.8% idle   
 CPU3 states: 0.0% user, 0.0% nice, 10.8% system, 0.0% interrupt, 89.2% idle   
 Memory: Real: 584M/2111M act/tot Free: 5793M Cache: 754M Swap: 0K/8405M 

   - bande passante 

 ![](IPSec_BW1.png) 

 ### MTU 

 Linux: ping -M do -s 1172 185.233.102.130 =\> OK   
 Linux: iperf3 -c 185.233.102.130 -M 1160 =\> OK   
 Linux: ping -M do -s 1173 185.233.102.130 =\> NOK   
 Linux: iperf3 -c 185.233.102.130 -M 1161 =\> NOK 

   - netcat qui fait un echo   
     socat TCP4-LISTEN:4444,fork EXEC:cat