Thanks for posting your adventure. I didn't have enough PF knowledge to help debug, but it was an interesting read.
On Mon, Jun 1, 2015 at 3:11 PM, Justin Mayes <jma...@careered.com> wrote: > I have this working. After learning more about route vs policy ipsec tunnels > I added a policy for 'any' to 10.x and return traffic from the net is now > passed back. I will go back to my cave now.... > > > -----Original Message----- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > Justin Mayes > Sent: Friday, May 29, 2015 11:10 AM > To: misc@openbsd.org > Subject: Re: NATing out enc0 traffic > > I think I am understanding this better after some more reading. My ipsec > tunnel just connects the two subnets and when my nat traffic returns from the > internet it does not match the policy for the tunnel because the source > address is not 192.x. What I need is some tunneling protocol that I can route > like pptp or l2tp which is what npppd is for. I do not have access to > configure the amazon side of the vpn for pptp or l2tp so I do not think this > is not going to be possible. That seems odd. I assumed this would be a common > setup > > -----Original Message----- > From: Justin Mayes > Sent: Thursday, May 28, 2015 1:52 PM > To: misc@openbsd.org > Subject: RE: NATing out enc0 traffic > > I just wanted to send an update based on some feedback. My subject is > misleading so let me clarify. I'm not attempting to nat between the networks > on either side of the vpn. For examples sake assume 192.168.0.0/24 on one > side of tunnel and 10.10.10.0/24 on the other. I'm trying to allow servers > on one side 10.x of the tunnel to access the internet via the other side of > the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and > replies come back. The return traffic comes back and the gateway drops it. I > assume that pf translates it back to the 10.x address and has no route for > that. I need it to go back through enc0. > > J > > -----Original Message----- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > Justin Mayes > Sent: Wednesday, May 27, 2015 2:47 PM > To: misc@openbsd.org > Subject: NATing out enc0 traffic > > Greetings everyone > > I am playing with amazon virtual private clouds (VPC). I have set a few up. I > have no issues connecting ipsec from openbsd <-> amazon VPC. All of these > VPCs so far have their own internet connection going out from amazon that > works fine. > > > [OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet > > > Next I am setting up a VPC that has no internet gateway. Instead the default > gateway is the vpn and all traffic is sent back through the ipsec tunnel and > then out the local network gateway. > > [Internet] > ^ > | > | > | > [OpenBSD]<-------ipsec------>[VPC] > > > I added these relevant lines to pf.conf > > Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on > enc0 keep state (if-bound) > > With tcpdump and pfctl I can tell that traffic from the vpc (10.0.0.0/8) > comes across the tunnel and gets NATed out. I can see that traffic leave the > external interface and I can see the reply come back to the external > interface. The reply never hits enc0 though and never makes it back to the > client. Is there another piece to the setup I am missing? I assume what I am > trying to do is possible. I would appreciate any insight or advice anyone may > have in regards to this type of setup. > > J
