![Logo [hsmr] - Hackspace Marburg](https://hsmr.cc/logo.svg){kind=logo}
IC Peering Konfiguration
Before you reboot:
cat /etc/iptables.up.rules | sudo iptables-restore --testcat /etc/ip6tables.up.rules | sudo ip6tables-restore --test
Tunnel
IPSec with Strongswan
sudo apt-get install strongswan libstrongswan-standard-plugins
Generate key pair
sudo mkdir /etc/ipsec.d/public/ sudo ipsec pki --gen --type rsa --outform pem --size 4096 | sudo tee /etc/ipsec.d/private/gwXX.pem sudo ipsec pki --pub --in /etc/ipsec.d/private/gwXX.pem --outform pem | sudo tee /etc/ipsec.d/public/gwXX.pem echo ": RSA gwXX.pem" | sudo tee -a /etc/ipsec.secrets
/etc/ipsec.conf
conn %default ikelifetime=28800s type=transport leftprotoport=gre rightprotoport=gre authby=pubkey keyexchange=ikev2 ike=aes128-sha256-modp2048! esp=aes128-sha1-modp2048! dpdaction=restart leftsubnet=%dynamic[gre] rightsubnet=%dynamic[gre] auto=route dpddelay=30s dpdtimeout=120s dpdaction=restart lifetime=3600s conn fffd-gw04 left=2a01:4a0:2002:2417::2 right=2a01:4f8:171:2729::fffd leftrsasigkey=/etc/ipsec.d/public/gw01.pem rightrsasigkey=/etc/ipsec.d/public/fffd-gw04.pem conn dn42-oleander-arturo left=2a01:4a0:2002:2417::2 right=2a00:dcc0:dead:a1bb::23 leftrsasigkey=/etc/ipsec.d/public/gw01.pem rightrsasigkey=/etc/ipsec.d/public/dn42-oleander-arturo.pem
GRE over IPv6
/etc/network/interfaces
auto tun-fffd-gw04 iface tun-fffd-gw04 inet static address 172.20.241.10/30 pre-up ip -6 tunnel add tun-fffd-gw04 mode ip6gre remote 2a01:4f8:171:2729::fffd local 2a01:4a0:2002:2417::2 ttl 128 iface tun-fffd-gw04 inet6 static address fe80::2/64 auto tun-dn42-olar iface tun-dn42-olar inet static address 10.207.0.41/30 pre-up ip -6 tunnel add tun-dn42-olar mode ip6gre remote 2a00:dcc0:dead:a1bb::23 local 2a01:4a0:2002:2417::2 ttl 128 iface tun-dn42-olar inet6 static address fe80::1/64
eBGP
sudo apt-get install bird
/etc/bird/bird.conf
log syslog all;
table freifunk;
router id 10.128.XXX.XXX;
protocol kernel {
persist;
scan time 20;
export filter {
krt_prefsrc = 10.128.XXX.XXX;
accept;
};
import none;
}
protocol device {
scan time 10;
}
protocol static freifunk_static {
table freifunk;
route 10.128.0.0/18 reject;
}
protocol pipe freifunk_to_master {
table freifunk;
peer table master;
export all;
import none;
}
function is_freifunk_net(prefix p)
prefix set include;
prefix set exclude;
{
exclude = [
10.10.10.0/24+ # mgmt and kabel deutschland dns, dhcp
];
include = [
10.0.0.0/8{12,30}, # Freifunk
172.22.0.0/15{22,28}, # DN42
172.22.0.53/32, # DN42 anycast DNS
100.64.0.0/10{12,28}, # iana private range
172.31.0.0/16{22,28} # ChaosVPN
];
if p ~ exclude then return false;
if p ~ include then return true;
return false;
}
template bgp freifunk_peer {
table freifunk;
local as 64877;
igp table master;
import filter {
if is_freifunk_net(net) then accept;
reject;
};
import keep filtered;
export all;
}
### Germany, HETZNER, Falkenstein (RZ17)
protocol bgp freifunk_fffd_gw01 from freifunk_peer {
neighbor 172.20.241.9 as 65142;
}
### Italy, Milano, IperWeb, CDLAN (Via Caldera 21)
protocol bgp dn42_oleander_arturo from freifunk_peer {
neighbor 10.207.0.42 as 64623;
}
/etc/bird/bird6.conf
log syslog all;
table freifunk;
router id 10.128.XXX.XXX;
protocol kernel {
persist;
scan time 20;
export filter {
krt_prefsrc = 2a06:4b00:1000::xxxx:xxxx;
accept;
};
import none;
}
protocol device {
scan time 10;
}
protocol static freifunk_static {
table freifunk;
route fd42:100c:7121::/48 reject;
}
protocol pipe freifunk_to_master {
table freifunk;
peer table master;
export all;
import none;
}
function is_freifunk_net(prefix p)
prefix set include;
prefix set exclude;
{
exclude = [
fc00::/8+ # hyberboria
];
include = [
fc00::/7{0,64} # ULA #yolo
];
if p ~ exclude then return false;
if p ~ include then return true;
return false;
}
template bgp freifunk_peer {
table freifunk;
local as 64877;
igp table master;
import filter {
if is_freifunk_net(net) then accept;
reject;
};
import keep filtered;
export all;
}
### Germany, HETZNER, Falkenstein (RZ17)
protocol bgp freifunk_fffd from freifunk_peer {
neighbor fe80::1 % 'tun-fffd-gw04' as 65142;
}
NPTv6
sudo ip6tables -t raw -A PREROUTING -i ffmr-br -s 2a06:4b00:1000::/56 -j NOTRACK sudo ip6tables -t raw -A PREROUTING -i tun-fffd-gw04 -d fd42:100c:7121::/56 -j NOTRACK sudo ip6tables -t mangle -A POSTROUTING -o tun-fffd-gw04 -s 2a06:4b00:1000::/56 -j SNPT --src-pfx 2a06:4b00:1000::/56 --dst-pfx fd42:100c:7121::/56 sudo ip6tables -t mangle -A PREROUTING -i tun-fffd-gw04 -d fd42:100c:7121::/56 -j DNPT --src-pfx fd42:100c:7121::/56 --dst-pfx 2a06:4b00:1000::/56 sudo ip6tables-save | sudo tee /etc/ip6tables.up.rules sudo sed -i -e 's/SNPT--src-pfx/SNPT --src-pfx/' -e 's/DNPT--src-pfx/DNPT --src-pfx/' /etc/ip6tables.up.rules
Add missing space in /etc/ip6tables.up.rules.