I have this working. After learning more about route vs policy ipsec tunnels I added a policy for 'any' to 10.x and return traffic from the net is now passed back. I will go back to my cave now....
-----Original Message----- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Friday, May 29, 2015 11:10 AM To: misc@openbsd.org Subject: Re: NATing out enc0 traffic I think I am understanding this better after some more reading. My ipsec tunnel just connects the two subnets and when my nat traffic returns from the internet it does not match the policy for the tunnel because the source address is not 192.x. What I need is some tunneling protocol that I can route like pptp or l2tp which is what npppd is for. I do not have access to configure the amazon side of the vpn for pptp or l2tp so I do not think this is not going to be possible. That seems odd. I assumed this would be a common setup -----Original Message----- From: Justin Mayes Sent: Thursday, May 28, 2015 1:52 PM To: misc@openbsd.org Subject: RE: NATing out enc0 traffic I just wanted to send an update based on some feedback. My subject is misleading so let me clarify. I'm not attempting to nat between the networks on either side of the vpn. For examples sake assume 192.168.0.0/24 on one side of tunnel and 10.10.10.0/24 on the other. I'm trying to allow servers on one side 10.x of the tunnel to access the internet via the other side of the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and replies come back. The return traffic comes back and the gateway drops it. I assume that pf translates it back to the 10.x address and has no route for that. I need it to go back through enc0. J -----Original Message----- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, May 27, 2015 2:47 PM To: misc@openbsd.org Subject: NATing out enc0 traffic Greetings everyone I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd <-> amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine. [OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway. [Internet] ^ | | | [OpenBSD]<-------ipsec------>[VPC] I added these relevant lines to pf.conf Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on enc0 keep state (if-bound) With tcpdump and pfctl I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client. Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup. J
