No problem. I guess I should add that I'm not NATing enc0 as my subject 
suggests. I just have the usual 'match out on $ext_if...' nat rule in pf.conf 
and a 'set skip on enc0'. The real solution was understanding that ipsec tunnel 
in openbsd doesn’t use the route table so looking for a way to 'static route' 
ipsec /enc0 is nonsensical. This lack of automatic routable ipsec interface is 
probably not a big deal to the community because you can just make your own 
tunnel to get a routable interface assuming you can config both sides. It's 
only a problem in cases like mine where the other end of the vpn gives you a 
take it leave it config. 

-----Original Message-----
From: Adam Van Ymeren [mailto:adam.v...@gmail.com] 
Sent: Monday, June 1, 2015 2:16 PM
To: Justin Mayes
Cc: misc@openbsd.org
Subject: Re: NATing out enc0 traffic

Thanks for posting your adventure.  I didn't have enough PF knowledge to help 
debug, but it was an interesting read.

On Mon, Jun 1, 2015 at 3:11 PM, Justin Mayes <jma...@careered.com> wrote:
> I have this working. After learning more about route vs policy ipsec tunnels 
> I added a policy for 'any' to 10.x and return traffic from the net is now 
> passed back. I will go back to my cave now....
>
>
> -----Original Message-----
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf 
> Of Justin Mayes
> Sent: Friday, May 29, 2015 11:10 AM
> To: misc@openbsd.org
> Subject: Re: NATing out enc0 traffic
>
> I think I am understanding this better after some more reading. My 
> ipsec tunnel just connects the two subnets and when my nat traffic 
> returns from the internet it does not match the policy for the tunnel 
> because the source address is not 192.x. What I need is some tunneling 
> protocol that I can route like pptp or l2tp which is what npppd is 
> for. I do not have access to configure the amazon side of the vpn for 
> pptp or l2tp so I do not think this is not going to be possible. That 
> seems odd. I assumed this would be a common setup
>
> -----Original Message-----
> From: Justin Mayes
> Sent: Thursday, May 28, 2015 1:52 PM
> To: misc@openbsd.org
> Subject: RE: NATing out enc0 traffic
>
> I just wanted to send an update based on some feedback. My subject is 
> misleading so let me clarify. I'm not attempting to nat between the networks 
> on either side of the vpn. For examples sake assume 192.168.0.0/24 on one 
> side of tunnel and 10.10.10.0/24 on the other.  I'm trying to allow servers 
> on one side 10.x of the tunnel to access the internet via the other side of 
> the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and 
> replies come back. The return traffic comes back and the gateway drops it. I 
> assume that pf translates it back to the 10.x address and has no route for 
> that. I need it to go back through enc0.
>
> J
>
> -----Original Message-----
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf 
> Of Justin Mayes
> Sent: Wednesday, May 27, 2015 2:47 PM
> To: misc@openbsd.org
> Subject: NATing out enc0 traffic
>
> Greetings everyone
>
> I am playing with amazon virtual private clouds (VPC). I have set a few up. I 
> have no issues connecting ipsec from openbsd  <-> amazon VPC. All of these 
> VPCs so far have their own internet connection going out from amazon that 
> works fine.
>
>
> [OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet
>
>
> Next I am setting up a VPC that has no internet gateway. Instead the default 
> gateway is the vpn and all traffic is sent back through the ipsec tunnel and 
> then out the local network gateway.
>
> [Internet]
> ^
> |
> |
> |
> [OpenBSD]<-------ipsec------>[VPC]
>
>
> I added these relevant lines to pf.conf
>
> Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass 
> quick on enc0 keep state (if-bound)
>
> With tcpdump and pfctl  I can tell that traffic from the vpc (10.0.0.0/8) 
> comes across the tunnel and gets NATed out. I can see that traffic leave the 
> external interface and I can see the reply come back to the external 
> interface. The reply never hits enc0 though and never makes it back to the 
> client.  Is there another piece to the setup I am missing? I assume what I am 
> trying to do is possible. I would appreciate any insight or advice anyone may 
> have in regards to this type of setup.
>
> J

Reply via email to