Projet

Général

Profil

Librehosting » Historique » Version 3

sacha, 29/07/2018 23:08

1 1 sacha
# Configuration of a Libre Hosting
2
3
aka IPSec between OPNSense and OpenBSD
4
5
## Who we are
6
7 2 sacha
Aquilenet is a non profit organisation since 2010 and a "do it yourself ISP", member of a Federation of similar ISP in France called [FFDN](https://www.ffdn.org). We are netneutrality builders, helping for more freedom and building networks using and participating Libre Software.
8 1 sacha
We provide xDSL, VPN and we hope soon Fiber accesses, and a lot of services for our members (mail, nextcloud, hosting, VPS...) and for others [searx](https://searx.aquilenet.fr), [Etherpad](https://pad.aquilenet.fr), [Pastebin](https://pastebin.aquilenet.fr), [Peertube](https://tube.aquilenet.fr), ...
9
10
## The need: create a Libre format hosting in our cool local called "la mezzanine".
11
12
To allow to our the members of our non-profit organisation to put the hawdware they want (like Nuc, Raspberry pi, tower, etc...) in our Libre hosting space called "la mezzanine" with a Public IPv4 and IPv6 from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), we need to announce our IPs from another place than our Datacenter.
13
14
## How we do
15
16
We have to tunnel all the network from the Libre Hosting to Internet and vice versa. We have tried first with OpenVPN but the userland application use to much ressources for needed bandwidth (200Mbps).
17
This IP range will be routed by IPSec to our ASN point of BGP anounce in our datacenter, then they will route them to the Libre Hosting.
18
19
From our Libre Hosting we have a OPNSense Firewall and in our datacenter 2 clustered OpenBSD.
20
21
Check this logical graphic:
22
23
![](https://atelier.aquilenet.fr/attachments/download/541/Aquilenet-Free_Format_Hosting.png)
24
  - Cerbere1:
25
26 3 sacha
### OpenBSD configuration
27
28
We configure the OpenBSD's IPSec configuration file for 2 Phase 2 tunnels one for IPv4 another on for IPv6
29
30 1 sacha
/etc/ipsec.conf
31
32
~~~
33 3 sacha
ike passive esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 \
34
    peer $OPSense_Public_IP\
35 1 sacha
    main group modp2048\
36 3 sacha
    psk "mysupersecurepass"
37 1 sacha
38 3 sacha
flow esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 peer $OPSense_Public_IP
39
flow esp from any to $LIBRE_HOSTING_PUB_IP_V6/48 peer $OPSense_Public_IP
40 1 sacha
~~~
41
42
chmod 500 /etc/ipsec.conf
43
44 3 sacha
Launch the tunnel:
45 1 sacha
46
isakmpd -K  
47
ipsecctl -f /etc/ipsec.conf
48
49 3 sacha
make it permanent:
50 1 sacha
51 3 sacha
add this to /etc/rc.conf.local:
52
53
 isakmpd_flags="-K"
54
ipsec_rules=/etc/ipsec.conf
55
ipsec=YES
56
57
check the configuration
58
59 1 sacha
ipsecctl -sa  
60
sh -c "echo S \> /var/run/isakmpd.fifo"  
61
less /var/run/isakmpd.result
62
63
flux les règles ipsec:
64
65
ipsecctl -F
66
67
debug:
68
69
isakmpd -d -DA=70 -K
70
71
72
  - Conf Cerbere11
73
74
![](IPSec-Phase2_Conf1.png) ![](IPSec-Phase1_Conf1.png)
75
76
### \\-\> Configuration1: Performances
77
78
  - AES\_CBC\_256/HMAC\_SHA2\_512\_256/MODP\_8192
79
80
  - Cerbere11
81
82
last pid: 45038; load averages: 0.27, 0.34, 0.31 up 0+00:56:47 19:07:15  
83
49 processes: 1 running, 48 sleeping  
84
CPU 0: 3.9% user, 0.0% nice, 0.8% system, 3.1% interrupt, 92.1% idle  
85
CPU 1: 1.2% user, 0.0% nice, 0.0% system, 6.3% interrupt, 92.5% idle  
86
CPU 2: 0.4% user, 0.0% nice, 0.0% system, 21.3% interrupt, 78.3% idle  
87
CPU 3: 5.9% user, 0.0% nice, 0.0% system, 2.4% interrupt, 91.7% idle  
88
Mem: 109M Active, 145M Inact, 387M Wired, 152M Buf, 7214M Free
89
90
  - Cerbere1
91
92
load averages: 1.18, 0.95, 0.74 cerbere1.aquilenet.fr 19:08:23  
93
43 processes: 1 starting, 40 idle, 1 dead, 1 on processor up 3 days, 18:40 up 3 days, 19:21  
94
CPU0 states: 0.2% user, 0.0% nice, 2.8% system, 7.4% interrupt, 89.6% idle  
95
CPU1 states: 0.0% user, 0.0% nice, 22.4% system, 0.0% interrupt, 77.6% idle  
96
CPU2 states: 0.0% user, 0.0% nice, 20.2% system, 0.0% interrupt, 79.8% idle  
97
CPU3 states: 0.0% user, 0.0% nice, 10.8% system, 0.0% interrupt, 89.2% idle  
98
Memory: Real: 584M/2111M act/tot Free: 5793M Cache: 754M Swap: 0K/8405M
99
100
  - bande passante
101
102
![](IPSec_BW1.png)
103
104
### MTU
105
106
Linux: ping -M do -s 1172 185.233.102.130 =\> OK  
107
Linux: iperf3 -c 185.233.102.130 -M 1160 =\> OK  
108
Linux: ping -M do -s 1173 185.233.102.130 =\> NOK  
109
Linux: iperf3 -c 185.233.102.130 -M 1161 =\> NOK
110
111
  - netcat qui fait un echo  
112
    socat TCP4-LISTEN:4444,fork EXEC:cat