|
|||
Route to enc0
So its been 6 years of problem free BSDing but im back.....
I have a remote network (amazon virtual private cloud) attached to my BSD gateway via ipsec in tunnel mode. I can access the internet thru my gateway and I can also access any server in that remote 10.x network from my home 192.x network. My question is how do you route to enc0? I have set the 10.x netowrk at amazon to use the VPN as the default gateway so traffic goes from 10.x server, across vpn to my 192.x bsd gateway. this traffic is then natted out to the internet, hits the remote destination, and the replies come back. Problem is my ipsec tunnel is ike esp from 192.168.0.0/24 to 10.0.1.0/24 so when traffic is de-natted it is $externalIP - > 10.x instead of $internalIP - > 10.x so ipsec policy doesn't match and packet never gets back into enc0 or across the tunnel Seems to me like the solution is to tunnel this traffic (gif0) so i can route it but the problem is i do no have access to the remote vpn server to configure any kind of tunnel interface on the far side. Any suggestions on how one would route return traffic into the ipsec tunnel in this case? |
|
||||
Welcome back!
The enc(4) pseudo driver is for integrating IPSec protected traffic with PF for packet filtering, and for diagnostics with tcpdump(8). It's not a directly usable device for networking, because every packet runs through the pseudo device twice. I've never tried it -- so I cannot give any guidance -- but you might be able to redirect the appropriate enc(4) traffic via PF rules. PF's route-to or reply-to rule options come to mind as possible tools. But be careful. The enc(4) man page states: Quote:
Last edited by jggimi; 30th May 2015 at 01:28 AM. Reason: typo |
|
|||
thanks all for the input. just for an update - it is the tunnel part that i lack. This is how you reference in routing. Most devices such as juniper,cisco,palo alto ect seem to do the tunnel for you automatically like npppd does for openbsd. In my case since i cant config the amazon side i have to figure out what tunnel settings to use. Right now I'm trying with a gif0. Below is from the amazon config doc for my vpn. I had a working ipsec vpn between endpoints without referencing or doing anything with those 169.x tunnel IPs.
Quote:
|
|
|||
this is what i got now for gif0 using real external IPs of course. Then i can add a route for 10.x to the 'next hop' described in the doc 169.254.255.33. Not working but i think im on the right track ...
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 priority: 0 groups: gif tunnel: inet xx.xx.xx.xx -> 72.21.xx.xx inet 169.254.255.34 --> 169.254.255.33 netmask 0xffff0000 |
|
||||
There's a bit of an issue with utilizing the 169.254 tunnels.
Since OpenBSD is policy-based, you'll get a tunnel to the other 169.254 endpoints at AWS. That's it. You can't route traffic through the enc0 interface...so via the first two tunnels you can reach the other BGP endpoints and nothing more. You *could* layer another tunnel on top (basically, use the same psk and public IPs, but give it the local LAN and remote LAN CIDRs instead of the 169.254 addresses. OpenBGPD can run on the 169.254 addrs, but you won't be able to actually *route* anything, and if your S2S tunnel dies, you have to move it manually, which defeats the purpose of BGP dynamic routing. See more here: http://www.linuxquestions.org/questi...bgp-vpn-36539/ Edit - also, if you are going to use gif interfaces for 169.254 addrs, you need to put them in a /30 per the config (255.255.255.252 or 0xfffffffc).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 30th May 2015 at 03:20 AM. |
|
|||
honestly i'm not sure what the 169.x addresses are for. My vpn will work across 1 hop with just this in the ipsec.conf
ike esp from 192.168.99.0/24 to 10.0.1.0/24 \ local 98.xx.xx.xx peer 72.xx.xx.xx \ main auth hmac-sha1 enc aes group modp1024 lifetime 28800 \ quick auth hmac-sha1 enc aes group modp1024 lifetime 3600 \ srcid 98.xx.xx.xx \ psk "***" \ tag amazon-vpc is this right for gif0? using my outside addresses and pointing to those 169 endpoints? gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 priority: 0 groups: gif tunnel: inet 98.xx.xx.xx -> 72.xx.xx.xx inet 169.254.255.34 --> 169.254.255.33 netmask 0xfffffffc i cant ping 169.254.255.33 and the vpn works only for 1 hop regardless of this gif0 interface |
|
||||
The link local (169.254.X.Y) addresses are used (in AWS's config) for BGP. The way we have it setup, a route-based IPSEC engine can do something like this (this would require the gif interfaces):
Code:
ike esp from 169.254.249.62 to 169.254.249.61 \ local 98.xx.xx.xx peer 72.xx.xx.xx \ main auth hmac-sha1 enc aes group modp1024 lifetime 28800 \ quick auth hmac-sha1 enc aes group modp1024 lifetime 3600 \ srcid 98.xx.xx.xx \ psk "***" \ tag amazon-vpc ike esp from 169.254.249.54 to 169.254.249.53 \ local 98.xx.xx.xx peer 72.xx.xx.xx \ main auth hmac-sha1 enc aes group modp1024 lifetime 28800 \ quick auth hmac-sha1 enc aes group modp1024 lifetime 3600 \ srcid 98.xx.xx.xx \ psk "***" \ tag amazon-vpc Unfortunately, OpenBSD doesn't have a route-based IPSEC engine, nor does it have the option for configuring route-based IPSEC, so this doesn't work. A static configuration like you outlined is your best bet (you *could* setup the link-local tunnels, but they wouldn't be very useful since OpenBSD's policy would only route to the other link-local ip of the tunnel and no further, meaning you'd have to have another tunnel in addition to the link-local tunnels and OpenBGPD wouldn't be able to failover to a different tunnel if one went down).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 30th May 2015 at 09:26 PM. |
|
||||
Because SAs and Flows are defined by policy, gif(4), gre(4), and vxlan(4) can be used to provision IPSec solutions. Here is an example I deployed using gif(4). Implementation of VLANs (802.1Q) eliminated the need for this particular solution, so it is no longer provisioned.
|
|
|||
Thanks jggimi - ironically that was one of the best examples i had found already :-). A major hurdle in my case is that i cannot configure details on the amazon side. Their vpn device exports a config with ipsec settings for you to use - part of which i posted earlier. So any solution I come up with has to be configured 100% on my side. I was intrigued by this post
http://undeadly.org/cgi?action=artic...5303&mode=flat specifically one of the comments about it at the bottom... Quote:
Last edited by WeakSauceIII; 31st May 2015 at 04:54 PM. |
|
|||
Just an update for everyone. Amazon doc says they don't support any kind of tunneling. I will continue to research this. For now I have this working by changing my ipsec.conf
from ike esp from 192.168.0/24 to 10.0.1.0/24 to ike esp from any to 10.0.1.0/24 this allows return traffic from external interface get back to 10.x at amazon per policy. thanks to rocket357 for pointing that out. |
|
||||
I just now noticed your posts on misc. Sorry for not speaking up there, been busy with, well, life =)
I've been toying around with the gif + transport idea again, but I've been mostly unsuccessful thus far. Once I get back into the office tomorrow I may check what the AWS back ends are saying about that configuration so I can tweak my home config. I dunno. Not certain it'll be successful...but I'm hopeful heh.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 1st June 2015 at 07:46 PM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Multi-Path or Route-To? | SlyM | OpenBSD General | 25 | 1st July 2016 04:21 PM |
No Route to Host | rtwingfield | FreeBSD Installation and Upgrading | 9 | 25th May 2015 03:05 AM |
route on openbsd | hpabsdbeginner1 | OpenBSD General | 2 | 15th April 2014 07:17 PM |
Openvpn pf/nat/route-to issue | lasstoff | OpenBSD Security | 3 | 16th January 2012 12:28 PM |
How to add static route using virtual NIC | bsdplus | Solaris | 1 | 22nd August 2010 02:10 AM |