Amazon AWS VPN to gateway for VPC

TimmZahn

After performing a search, I found a couple of old topics around AWS and their VPN settings. None of them had a conclusion in the posts. So I am posting to see if anyone has successfully connected Pfsense to the Amazon AWS VPC cloud.

So… has anyone been able to get connected to AWS? If so, maybe you can help.

The IPSec VPN tunnels appear to be connected properly. I show the tunnels up on my side, and AWS shows the gateway as "attached". However, I cannot connect to any device on the other end of the VPN gateway across the VPN. This is leading me to believe that I have an issue with the BGP of the tunnels, and most likely errors in the OpenBGPD config. I was changing the settings in the tabs within the OpenBGPD package, and the information that I believed should be in the config was not showing up, so I manually changed the config. After playing around I was never able to get information to pass across the VPN - that's when I started trying things and now the service won't start. Removing and re-installing the package has no effect, as it's not deleting the config and supporting files.

Here is what my current bgpd.conf looks like:

=================================
AS 65000
fib-update yes
holdtime 30
listen on 10.0.14.2
router-id 97.65.19X.XX
announce default-route
network 0.0.0.0/0
group "AmazonVPC" {
                  remote-as XXXX
                  neighbor 169.254.25X.X {
                          descr "AWS Neighbor 1"
                  }
                  neighbor 169.254.25X.X {
                          descr "AWS Neighbor 2"
                  }
          }
allow from any
allow to any

10.0.14.2 is the internal IP of the router
97.65.19X.XX is the external IP of the router

Any clue as to where to look without simply removing each line and continuing to experiment? Does someone have a good BGP config that they can pass along?

Thanks to anyone that can help.

In case it matters for this issue:
Pfsense 2-RC1 - Feb 28
i386

TimmZahn

Another piece of info… It may be the VPN after all.

Can someone look at the errors in the IPSec logs and tell me what they mean?

================================

[Amazon AWS VPC Tunnel 1]: INFO: ISAKMP-SA deleted 97.65.19X.XX[500]-72.21.209.XXX[500] spi:6743c2c6307db685:a7523d4fbd9ebbf4
[Amazon AWS VPC Tunnel 1]: INFO: initiate new phase 2 negotiation: 97.65.19X.XX[500]<=>72.21.209.XXX[500]
[Amazon AWS VPC Tunnel 1]: INFO: IPsec-SA established: ESP 97.65.19X.XX[500]->72.21.209.XXX[500] spi=3087783866(0xb80bd7ba)
[Amazon AWS VPC Tunnel 1]: INFO: respond new phase 2 negotiation: 97.65.19X.XX[500]<=>72.21.209.XXX[500]
ERROR: failed to get sainfo.
ERROR: failed to get sainfo.
ERROR: failed to pre-process packet.
[Amazon AWS VPC Tunnel 2]: INFO: IPsec-SA established: ESP 72.21.209.XXX[0]->97.65.19X.XX[0] spi=192685429(0xb7c2575)
[Amazon AWS VPC Tunnel 2]: INFO: initiate new phase 2 negotiation: 97.65.19X.XX[500]<=>72.21.209.XXX[500]
[Amazon AWS VPC Tunnel 2]: INFO: IPsec-SA established: ESP 97.65.19X.XX[500]->72.21.209.XXX[500] spi=2300373793(0x891ceb21)
[Amazon AWS VPC Tunnel 2]: INFO: respond new phase 2 negotiation: 97.65.19X.XX[500]<=>72.21.209.XXX[500]
ERROR: failed to get sainfo.
ERROR: failed to get sainfo.
ERROR: failed to pre-process packet.
[Amazon AWS VPC Tunnel 1]: INFO: respond new phase 2 negotiation: 97.65.19X.XX[500]<=>72.21.209.XXX[500]
ERROR: failed to get sainfo.
ERROR: failed to get sainfo.
ERROR: failed to pre-process packet.
[Amazon AWS VPC Tunnel 2]: INFO: respond new phase 2 negotiation: 97.65.19X.XX[500]<=>72.21.209.XXX[500]
ERROR: failed to get sainfo.
ERROR: failed to get sainfo.
ERROR: failed to pre-process packet.

================================

Thanks boys and girls…

TimmZahn

After a boat-load of testing (and failing) I have figured out a config that doesn't blow up the OpenBGPD service:

===============================

AS 65000
router-id 10.0.XX.X
listen on 10.0.XX.X
listen on 169.254.255.2
listen on 169.254.255.6
      neighbor 169.254.25X.X {
            remote-as 7224     
            local-address 169.254.255.2
            holdtime 30
            holdtime min 30
            announce default-route
            announce IPv6 none
            announce IPv4 unicast
      }
      neighbor 169.254.255.5 {
              remote-as 7224     
              local-address 169.254.255.6
              holdtime 30
              holdtime min 30
              announce default-route
              announce IPv6 none
              announce IPv4 unicast
      }

===============================

For some reason I cannot get the "group" command to work at all… so I opted for two "neighbor" commands.

Anywho... does anyone have any ideas on the IPSec errors on the 2nd post?

seattle-it

I was finally able to get this going. Check the blog post I wrote up about it here:

http://seattleit.net/blog/pfSense-IPSec-VPN-Gateway-with-Amazon-Virtual-Private-Cloud-BGP-Routing

Leave a reply if you need help.

gilry

I followed the blog by seattle-it but i can't get my ipsec tunnels to establish. http://forum.pfsense.org/index.php/topic,38709.0.html

tomkerswill

The guide you mentioned was really excellent, but I wasn't able to get BGP to connect.

In the ipsec phase 2 settings, the Local Network and Remote network are specified like this:

169.254.255.2/30
169.254.255.1/30

I tried specifying these to be individual IPs instead.

The other thing was that I don't understand why you specify a static route for 169.254.255.2 to go out of the WAN interface. Surely this traffic (for BGP) needs to go out of the ipsec interface? So I deleted the static route that was described in phase 2. I'm really not sure that route is needed. I deleted it, and then BGP seemed to connect…

After all this, the AWS control panel still shows the connection as in state DOWN, but pfsense shows things are connected - so I feel like I've made progress!

Has anybody else got experience of making this all work?

Tom