Greetings everyone I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd <-> amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine.
[OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway. [Internet] ^ | | | [OpenBSD]<-------ipsec------>[VPC] I added these relevant lines to pf.conf Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on enc0 keep state (if-bound) With tcpdump and pfctl I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client. Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup. J
