Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using pfSense as AWS VPC Gateway over VPN - RESOLVED

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikepb
      last edited by

      Hi,

      I am sure I am missing something simple, but I just cannot see it.

      We have setup a VPC in AWS and a AWS VPN connection to a pfSense server. That's working great, we can ping and connect both sides of the VPN.

      The final part is to make the pfSense server the gateway for the VPC. When we do that we can see in the state filter of the firewall what appears to be the traffic coming in over IPSec, getting natt'ed and then set out over the wan (See attached screenshot)

      However in the case of that attachment which is a ping, the replies never seem to arrive back at the machine in the VPC.. eg it just times out, or web pages don't load.

      Although if we are reading that right, the packet stats in the state filter shows the replies coming back as well (eg 2/2)

      Network details:
      VPC: 10.0.0.0/24
      PfSense Wan: x.x.x.x (public ip), lan: 192.168.1.0/24

      Firewall is allowing all traffic on the IPSec interface.

      Machines in the VPC and LAN on the pfSense side can ping and connect, and LAN traffic can go out via pfSense correctly. It's just the VPC traffic that fails somewhere.

      Any advice appreciated.

      Thanks

      state_filter.png
      state_filter.png_thumb

      1 Reply Last reply Reply Quote 0
      • M
        mikepb
        last edited by

        If it helps, here is a packet capture on the WAN interface for a ping from the VPC…

        19:36:50.672594 IP 104.156.225.1xx > 8.8.8.8: ICMP echo request, id 15828, seq 425, length 40
        19:36:50.674389 IP 8.8.8.8 > 104.156.225.1xx: ICMP echo reply, id 15828, seq 425, length 40
        19:36:50.674426 IP 8.8.8.8 > 10.0.0.4: ICMP echo reply, id 1, seq 425, length 40
        19:36:55.644569 IP 104.156.225.1xx > 8.8.8.8: ICMP echo request, id 15828, seq 426, length 40
        19:36:55.646511 IP 8.8.8.8 > 104.156.225.1xx: ICMP echo reply, id 15828, seq 426, length 40
        19:36:55.646545 IP 8.8.8.8 > 10.0.0.4: ICMP echo reply, id 1, seq 426, length 40

        From that is seems to be showing the traffic getting sent back to the VPC.. but if I capture packets on the IPSEC interface:

        19:39:46.771367 (authentic,confidential): SPI 0xcd5d6b92: IP 10.0.0.4 > 8.8.8.8: ICMP echo request, id 1, seq 429, length 40
        19:39:51.643803 (authentic,confidential): SPI 0xcd5d6b92: IP 10.0.0.4 > 8.8.8.8: ICMP echo request, id 1, seq 430, length 40

        They never show as coming back in ?

        1 Reply Last reply Reply Quote 0
        • M
          mikepb
          last edited by

          Found it!

          You need to set the local network in the phase 2 to be 0.0.0.0/0 not the LAN network or interface.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.