Projet

Général

Profil

Librehosting » Historique » Version 2

sacha, 29/07/2018 22:59

1 1 sacha
# Configuration of a Libre Hosting
2
3
aka IPSec between OPNSense and OpenBSD
4
5
## Who we are
6
7 2 sacha
Aquilenet is a non profit organisation since 2010 and a "do it yourself ISP", member of a Federation of similar ISP in France called [FFDN](https://www.ffdn.org). We are netneutrality builders, helping for more freedom and building networks using and participating Libre Software.
8 1 sacha
We provide xDSL, VPN and we hope soon Fiber accesses, and a lot of services for our members (mail, nextcloud, hosting, VPS...) and for others [searx](https://searx.aquilenet.fr), [Etherpad](https://pad.aquilenet.fr), [Pastebin](https://pastebin.aquilenet.fr), [Peertube](https://tube.aquilenet.fr), ...
9
10
## The need: create a Libre format hosting in our cool local called "la mezzanine".
11
12
To allow to our the members of our non-profit organisation to put the hawdware they want (like Nuc, Raspberry pi, tower, etc...) in our Libre hosting space called "la mezzanine" with a Public IPv4 and IPv6 from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), we need to announce our IPs from another place than our Datacenter.
13
14
## How we do
15
16
We have to tunnel all the network from the Libre Hosting to Internet and vice versa. We have tried first with OpenVPN but the userland application use to much ressources for needed bandwidth (200Mbps).
17
This IP range will be routed by IPSec to our ASN point of BGP anounce in our datacenter, then they will route them to the Libre Hosting.
18
19
From our Libre Hosting we have a OPNSense Firewall and in our datacenter 2 clustered OpenBSD.
20
21
Check this logical graphic:
22
23
![](https://atelier.aquilenet.fr/attachments/download/541/Aquilenet-Free_Format_Hosting.png)
24
  - Cerbere1:
25
26
/etc/ipsec.conf
27
28
~~~
29
ike passive esp from any to 185.233.102.128/26 \
30
    peer 92.154.99.130\
31
    main group modp2048\
32
    psk "01d8fb1bd7cd1a0318cadf21ee23b32bab4107af"
33
34
flow esp from any to 185.233.102.128/26 peer 92.154.99.130
35
flow esp from any to 2a0c:e300:12::/48 peer 92.154.99.130
36
~~~
37
38
chmod 500 /etc/ipsec.conf
39
40
Lancer le tunnel:
41
42
isakmpd -K  
43
ipsecctl -f /etc/ipsec.conf
44
45
vérifier la conf
46
47
ipsecctl -sa  
48
sh -c "echo S \> /var/run/isakmpd.fifo"  
49
less /var/run/isakmpd.result
50
51
flux les règles ipsec:
52
53
ipsecctl -F
54
55
debug:
56
57
isakmpd -d -DA=70 -K
58
59
Ajout de la route:
60
61
route add 185.233.102.129/26 185.233.100.124
62
63
  - Conf Cerbere11
64
65
![](IPSec-Phase2_Conf1.png) ![](IPSec-Phase1_Conf1.png)
66
67
### \\-\> Configuration1: Performances
68
69
  - AES\_CBC\_256/HMAC\_SHA2\_512\_256/MODP\_8192
70
71
  - Cerbere11
72
73
last pid: 45038; load averages: 0.27, 0.34, 0.31 up 0+00:56:47 19:07:15  
74
49 processes: 1 running, 48 sleeping  
75
CPU 0: 3.9% user, 0.0% nice, 0.8% system, 3.1% interrupt, 92.1% idle  
76
CPU 1: 1.2% user, 0.0% nice, 0.0% system, 6.3% interrupt, 92.5% idle  
77
CPU 2: 0.4% user, 0.0% nice, 0.0% system, 21.3% interrupt, 78.3% idle  
78
CPU 3: 5.9% user, 0.0% nice, 0.0% system, 2.4% interrupt, 91.7% idle  
79
Mem: 109M Active, 145M Inact, 387M Wired, 152M Buf, 7214M Free
80
81
  - Cerbere1
82
83
load averages: 1.18, 0.95, 0.74 cerbere1.aquilenet.fr 19:08:23  
84
43 processes: 1 starting, 40 idle, 1 dead, 1 on processor up 3 days, 18:40 up 3 days, 19:21  
85
CPU0 states: 0.2% user, 0.0% nice, 2.8% system, 7.4% interrupt, 89.6% idle  
86
CPU1 states: 0.0% user, 0.0% nice, 22.4% system, 0.0% interrupt, 77.6% idle  
87
CPU2 states: 0.0% user, 0.0% nice, 20.2% system, 0.0% interrupt, 79.8% idle  
88
CPU3 states: 0.0% user, 0.0% nice, 10.8% system, 0.0% interrupt, 89.2% idle  
89
Memory: Real: 584M/2111M act/tot Free: 5793M Cache: 754M Swap: 0K/8405M
90
91
  - bande passante
92
93
![](IPSec_BW1.png)
94
95
### MTU
96
97
Linux: ping -M do -s 1172 185.233.102.130 =\> OK  
98
Linux: iperf3 -c 185.233.102.130 -M 1160 =\> OK  
99
Linux: ping -M do -s 1173 185.233.102.130 =\> NOK  
100
Linux: iperf3 -c 185.233.102.130 -M 1161 =\> NOK
101
102
  - netcat qui fait un echo  
103
    socat TCP4-LISTEN:4444,fork EXEC:cat