Thread: Route to enc0
View Single Post
  #6   (View Single Post)  
Old 30th May 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

There's a bit of an issue with utilizing the 169.254 tunnels.

Since OpenBSD is policy-based, you'll get a tunnel to the other 169.254 endpoints at AWS. That's it. You can't route traffic through the enc0 interface...so via the first two tunnels you can reach the other BGP endpoints and nothing more.

You *could* layer another tunnel on top (basically, use the same psk and public IPs, but give it the local LAN and remote LAN CIDRs instead of the 169.254 addresses. OpenBGPD can run on the 169.254 addrs, but you won't be able to actually *route* anything, and if your S2S tunnel dies, you have to move it manually, which defeats the purpose of BGP dynamic routing.

See more here:

http://www.linuxquestions.org/questi...bgp-vpn-36539/

Edit - also, if you are going to use gif interfaces for 169.254 addrs, you need to put them in a /30 per the config (255.255.255.252 or 0xfffffffc).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 30th May 2015 at 03:20 AM.
Reply With Quote