Hi, I'm trying to evaluate using OpenBSD with Amazon's Virtual Private Cloud as a "Customer Gateway" in their EC2-speak. What you need to do is create a tunnel to each of Amazon's two routers, use BGP to exchange routes across the tunnels and protect all the traffic with IPsec.
I've got it mostly working, but I've hit an issue with the IPsec and I'm hoping someone might know what's going on. I've made the various API calls as per the getting started guide [1] and have the configuration in the generic format which you can see an example of in the network admin guide [2]. Assume my uplink address is 1.2.3.4 and I have a BGP ASN of 65023, my network is 192.168.23.0/24 and the remote network where my EC2 instances will appear is 10.0.0.0/24. Here's what I've done, first create two gif(4) tunnels: # ifconfig gif1 create # ifconfig gif1 tunnel 1.2.3.4 72.21.209.225 # ifconfig gif1 169.254.255.2 169.254.255.1 prefixlen 32 # ifconfig gif2 create # ifconfig gif2 tunnel 1.2.3.4 72.21.209.193 # ifconfig gif2 169.254.255.6 169.254.255.5 prefixlen 32 Add the following to /etc/ipsec.conf: ike dynamic esp from 169.254.255.2 to 169.254.255.1 \ local 1.2.3.4 peer 72.21.209.225 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk XXX ike dynamic esp from 169.254.255.6 to 169.254.255.5 \ local 1.2.3.4 peer 72.21.209.193 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk YYY Run isakmpd and load those two tunnels: # isakmpd -4 -K # ipsecctl -f /etc/ipsec.conf "ipsecctl -s all" confirms those are loaded and I can ping the two tunnel endpoints successfully. I've added pf rules to allow ESP and UDP 500 on the external interface and for now I'm skipping gif1, gif2 and enc0 to hopefully exclude pf as a potential source of any trouble. Now I've created /etc/bgpd.conf AS 65023 router-id 1.2.3.4 listen on 127.0.0.1 listen on 169.254.255.2 listen on 169.254.255.6 group "amazon" { remote-as 7224 holdtime 30 holdtime min 30 announce default-route announce IPv6 none announce IPv4 unicast neighbor 169.254.255.1 { local-address 169.254.255.2 } neighbor 169.254.255.5 { local-address 169.254.255.6 } } Fire up bgpd and confirm it's working: # bgpctl show nexthop Nexthop State 169.254.255.5 valid gif2 UP 169.254.255.1 valid gif1 UP # route -n get 10.0.0.0 route to: 10.0.0.0 destination: 10.0.0.0 mask: 255.255.255.0 gateway: 169.254.255.6 interface: gif2 if address: 169.254.255.6 priority: 48 (bgp) flags: <UP,GATEWAY,DONE> use mtu expire 24 0 0 Now here's where I've got stuck. If I try and ping an EC2 instance from my network, I see the plain gif traffic leaving the external interface and gets dropped by the remote router as it's not protected with IPsec. This makes sense as there's no flow defined that will match that traffic, so I add two further tunnels to /etc/ipsec.conf: ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \ local 1.2.3.4 peer 72.21.209.225 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk XXX ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \ local 1.2.3.4 peer 72.21.209.193 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk YYY Now, only the latter tunnel gets configured, I'm guessing this is because the from+to tuple is identical so I'm configuring the same tunnel twice just with a different peer and key. As long as the routing decides to use the tunnel that is configured between the second peer, everything works, I can ping and SSH to my EC2 instance, but if it switches to the tunnel configured between the first peer then it breaks. Is it possible to have both configured somehow? Thanks Matt [1] http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/ [2] http://docs.amazonwebservices.com/AmazonVPC/2009-07-15/NetworkAdminGuide/