Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AWS VPC BGP IPsec Problems

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aarodynamics
      last edited by

      I've been unable to get AWS VPC BGP IPsec tunnels working on 2.3.2. Is anyone else having luck with this on the community edition.

      I've done all the following:

      • WAN is working

      • LAN is working

      • Created firewall rule allowing IPsec traffic

      • Created firewall rule allowing all ICMP traffic

      • Installed OpenBGPD

      • Created WAN Interface VIPs for the CG side of the VPC tunnels

      • Created a Gateway with the WAN interface address of the pfSense firewall

      • Created a static route for each of the /30 local-link subnets to the gateway created in the last step

      • Created 2x Phase 1 IPsec tunnels from WAN interface to respective AWS VP Gateways. Using IKE1/AES-128/SHA1/DH2/28800/DPD

      • Created 2x Phase 2 tunnels within each Phase 1 tunnel from respective internal CGs to internal VP GWs, and the the other from the pfSense LAN to the VPC LAN /16. Using ESP/AES-128/SHA1/DH2/3600

      • Setup BGP with the ASN of 65001 which is what is used on AWS, set the LAN network and 0.0.0.0/0 for announced networks.

      • Created a group with correct AWS 7224 ASN

      • Set the AWS remote side internal link-local VP GWs as the neighbors and associated with the previously set Group.

      • Verified that the tunnels are up on both AWS and on the pfSense router. BGP looks good. IPsec looks good.

      • When I traceroute from a client computer on the pfSense LAN to the AWS LAN it hits the LAN GW first, then the WAN GW next, when I think the second hop should actually be going across the BGP tunnel instead.

      I'm stumped, can't figure this out, and would really appreciate any help. Thank you!

      1 Reply Last reply Reply Quote 0
      • A
        aarodynamics
        last edited by

        I figured this out by purchasing a 2220 and copying the config from the wizard. Unfortunately, 2.3 apparently doesn't work with IPSec and BGP so this is a no-go.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.