NATing out enc0 traffic

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

NATing out enc0 traffic

Justin Mayes
Greetings everyone

I am playing with amazon virtual private clouds (VPC). I have set a few up. I
have no issues connecting ipsec from openbsd  <-> amazon VPC. All of these
VPCs so far have their own internet connection going out from amazon that
works fine.


[OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet


Next I am setting up a VPC that has no internet gateway. Instead the default
gateway is the vpn and all traffic is sent back through the ipsec tunnel and
then out the local network gateway.

[Internet]
^
|
|
|
[OpenBSD]<-------ipsec------>[VPC]


I added these relevant lines to pf.conf

Match out on $ext_if from !($ext_if:network) nat-to ($ext_if)
pass quick on enc0 keep state (if-bound)

With tcpdump and pfctl  I can tell that traffic from the vpc (10.0.0.0/8)
comes across the tunnel and gets NATed out. I can see that traffic leave the
external interface and I can see the reply come back to the external
interface. The reply never hits enc0 though and never makes it back to the
client.  Is there another piece to the setup I am missing? I assume what I am
trying to do is possible. I would appreciate any insight or advice anyone may
have in regards to this type of setup.

J

Reply | Threaded
Open this post in threaded view
|

Re: NATing out enc0 traffic

Justin Mayes
I just wanted to send an update based on some feedback. My subject is misleading so let me clarify. I'm not attempting to nat between the networks on either side of the vpn. For examples sake assume 192.168.0.0/24 on one side of tunnel and 10.10.10.0/24 on the other.  I'm trying to allow servers on one side 10.x of the tunnel to access the internet via the other side of the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and replies come back. The return traffic comes back and the gateway drops it. I assume that pf translates it back to the 10.x address and has no route for that. I need it to go back through enc0.

J

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Justin Mayes
Sent: Wednesday, May 27, 2015 2:47 PM
To: [hidden email]
Subject: NATing out enc0 traffic

Greetings everyone

I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd  <-> amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine.


[OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet


Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway.

[Internet]
^
|
|
|
[OpenBSD]<-------ipsec------>[VPC]


I added these relevant lines to pf.conf

Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on enc0 keep state (if-bound)

With tcpdump and pfctl  I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client.  Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup.

J

Reply | Threaded
Open this post in threaded view
|

Re: NATing out enc0 traffic

Justin Mayes
In reply to this post by Justin Mayes
I think I am understanding this better after some more reading. My ipsec tunnel just connects the two subnets and when my nat traffic returns from the internet it does not match the policy for the tunnel because the source address is not 192.x. What I need is some tunneling protocol that I can route like pptp or l2tp which is what npppd is for. I do not have access to configure the amazon side of the vpn for pptp or l2tp so I do not think this is not going to be possible. That seems odd. I assumed this would be a common setup

-----Original Message-----
From: Justin Mayes
Sent: Thursday, May 28, 2015 1:52 PM
To: [hidden email]
Subject: RE: NATing out enc0 traffic

I just wanted to send an update based on some feedback. My subject is misleading so let me clarify. I'm not attempting to nat between the networks on either side of the vpn. For examples sake assume 192.168.0.0/24 on one side of tunnel and 10.10.10.0/24 on the other.  I'm trying to allow servers on one side 10.x of the tunnel to access the internet via the other side of the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and replies come back. The return traffic comes back and the gateway drops it. I assume that pf translates it back to the 10.x address and has no route for that. I need it to go back through enc0.

J

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Justin Mayes
Sent: Wednesday, May 27, 2015 2:47 PM
To: [hidden email]
Subject: NATing out enc0 traffic

Greetings everyone

I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd  <-> amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine.


[OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet


Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway.

[Internet]
^
|
|
|
[OpenBSD]<-------ipsec------>[VPC]


I added these relevant lines to pf.conf

Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on enc0 keep state (if-bound)

With tcpdump and pfctl  I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client.  Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup.

J

Reply | Threaded
Open this post in threaded view
|

Re: NATing out enc0 traffic

Justin Mayes
I have this working. After learning more about route vs policy ipsec tunnels I added a policy for 'any' to 10.x and return traffic from the net is now passed back. I will go back to my cave now....


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Justin Mayes
Sent: Friday, May 29, 2015 11:10 AM
To: [hidden email]
Subject: Re: NATing out enc0 traffic

I think I am understanding this better after some more reading. My ipsec tunnel just connects the two subnets and when my nat traffic returns from the internet it does not match the policy for the tunnel because the source address is not 192.x. What I need is some tunneling protocol that I can route like pptp or l2tp which is what npppd is for. I do not have access to configure the amazon side of the vpn for pptp or l2tp so I do not think this is not going to be possible. That seems odd. I assumed this would be a common setup

-----Original Message-----
From: Justin Mayes
Sent: Thursday, May 28, 2015 1:52 PM
To: [hidden email]
Subject: RE: NATing out enc0 traffic

I just wanted to send an update based on some feedback. My subject is misleading so let me clarify. I'm not attempting to nat between the networks on either side of the vpn. For examples sake assume 192.168.0.0/24 on one side of tunnel and 10.10.10.0/24 on the other.  I'm trying to allow servers on one side 10.x of the tunnel to access the internet via the other side of the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and replies come back. The return traffic comes back and the gateway drops it. I assume that pf translates it back to the 10.x address and has no route for that. I need it to go back through enc0.

J

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Justin Mayes
Sent: Wednesday, May 27, 2015 2:47 PM
To: [hidden email]
Subject: NATing out enc0 traffic

Greetings everyone

I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd  <-> amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine.


[OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet


Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway.

[Internet]
^
|
|
|
[OpenBSD]<-------ipsec------>[VPC]


I added these relevant lines to pf.conf

Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on enc0 keep state (if-bound)

With tcpdump and pfctl  I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client.  Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup.

J

Reply | Threaded
Open this post in threaded view
|

Re: NATing out enc0 traffic

Adam Van Ymeren
Thanks for posting your adventure.  I didn't have enough PF knowledge
to help debug, but it was an interesting read.

On Mon, Jun 1, 2015 at 3:11 PM, Justin Mayes <[hidden email]> wrote:

> I have this working. After learning more about route vs policy ipsec tunnels I added a policy for 'any' to 10.x and return traffic from the net is now passed back. I will go back to my cave now....
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Justin Mayes
> Sent: Friday, May 29, 2015 11:10 AM
> To: [hidden email]
> Subject: Re: NATing out enc0 traffic
>
> I think I am understanding this better after some more reading. My ipsec tunnel just connects the two subnets and when my nat traffic returns from the internet it does not match the policy for the tunnel because the source address is not 192.x. What I need is some tunneling protocol that I can route like pptp or l2tp which is what npppd is for. I do not have access to configure the amazon side of the vpn for pptp or l2tp so I do not think this is not going to be possible. That seems odd. I assumed this would be a common setup
>
> -----Original Message-----
> From: Justin Mayes
> Sent: Thursday, May 28, 2015 1:52 PM
> To: [hidden email]
> Subject: RE: NATing out enc0 traffic
>
> I just wanted to send an update based on some feedback. My subject is misleading so let me clarify. I'm not attempting to nat between the networks on either side of the vpn. For examples sake assume 192.168.0.0/24 on one side of tunnel and 10.10.10.0/24 on the other.  I'm trying to allow servers on one side 10.x of the tunnel to access the internet via the other side of the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and replies come back. The return traffic comes back and the gateway drops it. I assume that pf translates it back to the 10.x address and has no route for that. I need it to go back through enc0.
>
> J
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Justin Mayes
> Sent: Wednesday, May 27, 2015 2:47 PM
> To: [hidden email]
> Subject: NATing out enc0 traffic
>
> Greetings everyone
>
> I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd  <-> amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine.
>
>
> [OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet
>
>
> Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway.
>
> [Internet]
> ^
> |
> |
> |
> [OpenBSD]<-------ipsec------>[VPC]
>
>
> I added these relevant lines to pf.conf
>
> Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on enc0 keep state (if-bound)
>
> With tcpdump and pfctl  I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client.  Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup.
>
> J

Reply | Threaded
Open this post in threaded view
|

Re: NATing out enc0 traffic

Justin Mayes
No problem. I guess I should add that I'm not NATing enc0 as my subject suggests. I just have the usual 'match out on $ext_if...' nat rule in pf.conf and a 'set skip on enc0'. The real solution was understanding that ipsec tunnel in openbsd doesn’t use the route table so looking for a way to 'static route' ipsec /enc0 is nonsensical. This lack of automatic routable ipsec interface is probably not a big deal to the community because you can just make your own tunnel to get a routable interface assuming you can config both sides. It's only a problem in cases like mine where the other end of the vpn gives you a take it leave it config.

-----Original Message-----
From: Adam Van Ymeren [mailto:[hidden email]]
Sent: Monday, June 1, 2015 2:16 PM
To: Justin Mayes
Cc: [hidden email]
Subject: Re: NATing out enc0 traffic

Thanks for posting your adventure.  I didn't have enough PF knowledge to help debug, but it was an interesting read.

On Mon, Jun 1, 2015 at 3:11 PM, Justin Mayes <[hidden email]> wrote:

> I have this working. After learning more about route vs policy ipsec tunnels I added a policy for 'any' to 10.x and return traffic from the net is now passed back. I will go back to my cave now....
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf
> Of Justin Mayes
> Sent: Friday, May 29, 2015 11:10 AM
> To: [hidden email]
> Subject: Re: NATing out enc0 traffic
>
> I think I am understanding this better after some more reading. My
> ipsec tunnel just connects the two subnets and when my nat traffic
> returns from the internet it does not match the policy for the tunnel
> because the source address is not 192.x. What I need is some tunneling
> protocol that I can route like pptp or l2tp which is what npppd is
> for. I do not have access to configure the amazon side of the vpn for
> pptp or l2tp so I do not think this is not going to be possible. That
> seems odd. I assumed this would be a common setup
>
> -----Original Message-----
> From: Justin Mayes
> Sent: Thursday, May 28, 2015 1:52 PM
> To: [hidden email]
> Subject: RE: NATing out enc0 traffic
>
> I just wanted to send an update based on some feedback. My subject is misleading so let me clarify. I'm not attempting to nat between the networks on either side of the vpn. For examples sake assume 192.168.0.0/24 on one side of tunnel and 10.10.10.0/24 on the other.  I'm trying to allow servers on one side 10.x of the tunnel to access the internet via the other side of the tunnel 192.168.0.1. Egress works, 10.x client gets to the internet and replies come back. The return traffic comes back and the gateway drops it. I assume that pf translates it back to the 10.x address and has no route for that. I need it to go back through enc0.
>
> J
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf
> Of Justin Mayes
> Sent: Wednesday, May 27, 2015 2:47 PM
> To: [hidden email]
> Subject: NATing out enc0 traffic
>
> Greetings everyone
>
> I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd  <-> amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine.
>
>
> [OpenBSD]<--------ipsec--------->[VPC]<----------------->Internet
>
>
> Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway.
>
> [Internet]
> ^
> |
> |
> |
> [OpenBSD]<-------ipsec------>[VPC]
>
>
> I added these relevant lines to pf.conf
>
> Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass
> quick on enc0 keep state (if-bound)
>
> With tcpdump and pfctl  I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client.  Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup.
>
> J