AWS VPC BGP IPsec Problems

  • I've been unable to get AWS VPC BGP IPsec tunnels working on 2.3.2. Is anyone else having luck with this on the community edition.

    I've done all the following:

    • WAN is working

    • LAN is working

    • Created firewall rule allowing IPsec traffic

    • Created firewall rule allowing all ICMP traffic

    • Installed OpenBGPD

    • Created WAN Interface VIPs for the CG side of the VPC tunnels

    • Created a Gateway with the WAN interface address of the pfSense firewall

    • Created a static route for each of the /30 local-link subnets to the gateway created in the last step

    • Created 2x Phase 1 IPsec tunnels from WAN interface to respective AWS VP Gateways. Using IKE1/AES-128/SHA1/DH2/28800/DPD

    • Created 2x Phase 2 tunnels within each Phase 1 tunnel from respective internal CGs to internal VP GWs, and the the other from the pfSense LAN to the VPC LAN /16. Using ESP/AES-128/SHA1/DH2/3600

    • Setup BGP with the ASN of 65001 which is what is used on AWS, set the LAN network and for announced networks.

    • Created a group with correct AWS 7224 ASN

    • Set the AWS remote side internal link-local VP GWs as the neighbors and associated with the previously set Group.

    • Verified that the tunnels are up on both AWS and on the pfSense router. BGP looks good. IPsec looks good.

    • When I traceroute from a client computer on the pfSense LAN to the AWS LAN it hits the LAN GW first, then the WAN GW next, when I think the second hop should actually be going across the BGP tunnel instead.

    I'm stumped, can't figure this out, and would really appreciate any help. Thank you!

  • I figured this out by purchasing a 2220 and copying the config from the wizard. Unfortunately, 2.3 apparently doesn't work with IPSec and BGP so this is a no-go.