IPsec return packets from internet not routing back to VPN tunnel
-
I have my local pfSense (2.3.1_5) router configured with a working IPsec VPN tunnel to my AWS VPC. Everything works fine for LAN packets between the two networks in both directions. However, when I make connections out to the internet from the AWS VPC, the packets are sent out to the internet and return to the pfSense router, but pfSense does not send them back over the tunnel.
I have an outbound NAT rule for all protocols on the WAN interface from the VPC subnet to the world. I also have firewall rules (for good measure both on the WAN and IPsec interfaces) allowing traffic in and out between the VPC subnet and the WAN.
I am really not a networking guy so I'm not sure what other information I should provide. Please let me know and I'll update the question.
-
What is it exactly you're trying to do? Route all of your Internet traffic out through AWS?
Do you have a diagram showing what you're trying to achieve?
At a glance it doesn't appear as if you're doing something that is possible with IPsec but perhaps I'm not quite understanding what it is you're attempting.
-
The opposite: I would like to route the AWS traffic out to the internet through my pfSense. So [AWS VPC] <== IPsec tunnel ==> [pfSense] <=WAN interface=> [Internet]
Packet inspections show the AWS outbound traffic being sent out to the internet through the WAN interface, but when they return, pfSense doesn't know what to do with them so it tries to route them back out to the internet. Likewise, if I try to ping or traceroute a host on the AWS subnet from pfSense, it hops out to my internet gateway (and drops there). I can, however, ping the AWS subnet from my LAN without issue.Does this make sense?
-
Do you have an outbound NAT set for the AWS subnet?
-
-
What exactly do your IPsec P2 entries look like?
And is your IPsec configured as a tunnel or transport with something else like GRE on top?
You can't "route" IPsec, but if your P2 has 0.0.0.0/0 on your side that should work, but it almost sounds like AWS is sending everything to pfSense but there is no matching P2 to send that traffic back to AWS.
-
We have a similar issue trying to NAT incoming traffic from an AWS IPSec VPN static tunnel, out a WAN connection (see attached image and more details below).
We even used the AWS VPC VPN Wizard that comes with the paid version of pfSense. Even worked with pfSense support (Netgate), but they couldn't resolve this issue for usI think there may be an issue with BSD NATing traffic from IPSec with the way that AWS VPC VPN.
AWS changed their IPSec VPC VPN connection settings last year, and we started to get drop-out due to more that Phase2 entries or SAs. We removed our Phase2 SAs and got the tunnels working using routing on the AWS -> VPC -> VPN Connection -> "Static Routes".
This fixed things for a bit.Recently AWS changed their IPSec VPC VPN connection settings again, and this caused us some real problems with pfSense. We found strange traffic when capturing packets from pfSense, or capturing packets from a device outside the WAN interface of our pfSense box. We were seeing replies to AWS IPSec NATed traffic, coming back from the Internet, that were addressed to the WAN address AND the private non-NATed IP address of the AWS system. This meant that pfSense was somehow mangling the packet and sending the private IP address out the WAN. Netgate claimed it was the fault of the system on the Internet trying to communicate with to the AWS private IP. There would be no other way for the Internet system to know the private IP of the AWS system.
It seems pfSense is unable to properly NAT traffic coming from an AWS VPC static IPsec tunnel.
