AWS VPC BGP IPsec Problems
-
I've been unable to get AWS VPC BGP IPsec tunnels working on 2.3.2. Is anyone else having luck with this on the community edition.
I've done all the following:
-
WAN is working
-
LAN is working
-
Created firewall rule allowing IPsec traffic
-
Created firewall rule allowing all ICMP traffic
-
Installed OpenBGPD
-
Created WAN Interface VIPs for the CG side of the VPC tunnels
-
Created a Gateway with the WAN interface address of the pfSense firewall
-
Created a static route for each of the /30 local-link subnets to the gateway created in the last step
-
Created 2x Phase 1 IPsec tunnels from WAN interface to respective AWS VP Gateways. Using IKE1/AES-128/SHA1/DH2/28800/DPD
-
Created 2x Phase 2 tunnels within each Phase 1 tunnel from respective internal CGs to internal VP GWs, and the the other from the pfSense LAN to the VPC LAN /16. Using ESP/AES-128/SHA1/DH2/3600
-
Setup BGP with the ASN of 65001 which is what is used on AWS, set the LAN network and 0.0.0.0/0 for announced networks.
-
Created a group with correct AWS 7224 ASN
-
Set the AWS remote side internal link-local VP GWs as the neighbors and associated with the previously set Group.
-
Verified that the tunnels are up on both AWS and on the pfSense router. BGP looks good. IPsec looks good.
-
When I traceroute from a client computer on the pfSense LAN to the AWS LAN it hits the LAN GW first, then the WAN GW next, when I think the second hop should actually be going across the BGP tunnel instead.
I'm stumped, can't figure this out, and would really appreciate any help. Thank you!
-
-
I figured this out by purchasing a 2220 and copying the config from the wizard. Unfortunately, 2.3 apparently doesn't work with IPSec and BGP so this is a no-go.