Tags

yet another bugfix

3:24pm on Apr 10, 2014

Another bugfix for s3cmd.

bugfixin

10:37am on Mar 25, 2014

Bugfix for s3cmd - some issues with command-line arguments not working when I needed them to.

OpenBSD VPN to Linux in an Amazon VPC

4:31pm on Jan 07, 2014

This article is a great start on how to connect two VPCs using Linux and OpenSWAN. I followed it, but then I also needed to connect my OpenBSD office router. Set up the VPC side the same way (except for the changes below).

Addresses

  • Office router eternal address: 1.2.3.4
  • Office internal subnet: 192.168.1.0/24
  • VPC gateway instance address: 5.6.7.8
  • AWS VPC subnet: 10.1.0.0/24

OpenBSD /etc/ipsec.conf:

1
2
3
4
5
6
7
ike esp from 10.1.0.0/24 to 192.168.1.0/24 \
    local 1.2.3.4 peer 5.6.7.8 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes group modp1024 \
    srcid 1.2.3.4 \
    psk "monkeys" \
    tag amazon-vpc

OpenBSD /etc/pf.conf:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
TcpState="flags S/SA modulate state"
UdpState="keep state"

table <amazon_vpn> const { 5.6.7.8 }
table <our_vpns> const { 10.1.0.0/24 }

set skip on enc0

match out on vr1 from any to <our_vpns> received-on vr2 tag EGRESS nat-to (vr1:0)

pass out on vr1 inet proto tcp all $TcpState
pass out on vr1 inet proto udp all $UdpState
pass out on vr1 inet proto esp from any to <amazon_vpn>
pass out on vr1 inet proto udp from any to <amazon_vpn> port { 500 4500 } $UdpState

pass in quick on vr1 inet proto esp from <amazon_vpn> to (vr1:0)
pass in quick on vr1 inet proto udp from <amazon_vpn> to (vr1:0) port { 500 4500 } $UdpState
block in log on vr1

Add to OpenBSD /etc/sysctl.conf:

1
net.inet.ip.forwarding=1

Add to OpenBSD /etc/rc.conf.local:

1
2
ipsec=YES
isakmpd_flags="-4 -K"

Linux /etc/ipsec.conf:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
conn Office
    type=tunnel
    left=%defaultroute
    leftsubnet=10.1.0.0/24
    leftnexthop=%defaultroute
    leftid=5.6.7.8
    right=1.2.3.4
    rightsubnet=192.168.1.0/23
    keyexchange=ike
    esp=aes128-sha1
    ike=aes128-sha1-modp1024
    auto=start
    auth=esp
    authby=secret
    pfs=yes
    keyingtries=%forever
    rekeymargin=4m
    rekey=yes
    disablearrivalcheck=no
    aggrmode=no

Linux /etc/ipsec.secrets:

1
5.6.7.8 1.2.3.4: PSK "monkeys"
[RSS] [atom]
Tags