OpenBSD VPN to Linux in an Amazon VPC

January 7, 2014 @ 16:31

This article is a great start on how to connect two VPCs using Linux and OpenSWAN. I followed it, but then I also needed to connect my OpenBSD office router. Set up the VPC side the same way (except for the changes below).

Addresses

  • Office router eternal address: 1.2.3.4
  • Office internal subnet: 192.168.1.0/24
  • VPC gateway instance address: 5.6.7.8
  • AWS VPC subnet: 10.1.0.0/24

OpenBSD /etc/ipsec.conf:

ike esp from 10.1.0.0/24 to 192.168.1.0/24 \
    local 1.2.3.4 peer 5.6.7.8 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1
    enc aes group modp1024 \
    srcid 1.2.3.4 \
    psk "monkeys" \
    tag amazon-vpc

OpenBSD /etc/pf.conf:

TcpState="flags S/SA modulate state"
UdpState="keep state"

table <amazon_vpn> const { 5.6.7.8 }
table <our_vpns> const { 10.1.0.0/24 }

set skip on enc0
match out on vr1 from any to <our_vpns> received-on vr2 tag EGRESS nat-to (vr1:0)

pass out on vr1 inet proto tcp all $TcpState
pass out on vr1 inet proto udp all $UdpState
pass out on vr1 inet proto esp from any to <amazon_vpn>
pass out on vr1 inet proto udp from any to <amazon_vpn> port { 500 4500 } $UdpState

pass in quick on vr1 inet proto esp from <amazon_vpn> to (vr1:0)
pass in quick on vr1 inet proto udp from <amazon_vpn> to (vr1:0) port { 500 4500 } $UdpState
block in log on vr1

Add to OpenBSD /etc/sysctl.conf:

net.inet.ip.forwarding=1

Add to OpenBSD /etc/rc.conf.local:

ipsec=YES
isakmpd_flags="-4 -K"

Linux /etc/ipsec.conf:

conn Office
    type=tunnel
    left=%defaultroute
    leftsubnet=10.1.0.0/24
    leftnexthop=%defaultroute
    leftid=5.6.7.8
    right=1.2.3.4
    rightsubnet=192.168.1.0/23
    keyexchange=ike
    esp=aes128-sha1
    ike=aes128-sha1-modp1024
    auto=start
    auth=esp
    authby=secret
    pfs=yes
    keyingtries=%forever
    rekeymargin=4m
    rekey=yes
    disablearrivalcheck=no
    aggrmode=no

Linux /etc/ipsec.secrets:

5.6.7.8 1.2.3.4: PSK "monkeys"