DNS and Domain Control over OpenVPN Site to Site
-
Working on a project for my advanced networking university class. I've setup a network with the following layout: http://imgur.com/FyGZEtm (IPSEC tunnel was changed to OpenVPN tunnel)
The goal I am trying to accomplish is that on the AWS side I have setup a Windows 2016 server to act as the Domain Controller for the network. So I am trying to have the VM Desktops join the domain controlled by the AD on AWS. They are connected with a openVPN site to site link. The OpenVPN status shows them connected. I can ping from the EXSi pfsense WAN to the AWS pfsense WAN.
AWS GATEWAY 10.100.100.1
WAN 10.100.10.183
WIN2016 10.100.100.248ESXI
Gateway 10.2.0.1
WAN 10.2.0.61
LAN 192.168.1.1
UbuntuMate 192.168.1.105 DMZ 192.168.220.1
OpenVPN Tunnel 10.0.8.0/24
The VPN connects out to a public IP address on AWS that is connected to the AWS pfsense server.I guess my first question to people who are more knowledgeable about pfsense, is this something that can even be done?
I can ping from:
AWS pfsense to ESXi Pfsense WAN
AWS pfsense to ESXi Lan
AWS pfsense to ESXi UbuntuMate
UbuntuMate on ESXi Lan to AWS WANI can not ping from AWS WIN2016 to Pfsense Gateway or behind it
Ubuntumate on ESXi Lan to AWS WIN2016Tried doing packet captures but they seem strange to me. Did one on the ESXi Wan interface looking only for ICMP packets since I was pinging from the AWS WIN2016 and was gettting only this:
20:46:38.563621 IP 10.2.0.1>10.2.0.61 ICMP echo reply, id 34073, seq 19565, length 8 which just repeats with increasing time stamp and seq numbersFrom the packet capture on the AWS pfsense I was getting
20:46:33.867577 IP 10.100.100.183 > 10.100.100.1: ICMP echo request, id 3097, seq 4255, length 8
20:46:33.867921 IP 10.100.100.1 > 10.100.100.183: ICMP echo reply, id 3097, seq 4255, length 8Which was just repeating multiple times.
I have my firewalls rules pretty much open as they can be. I am at a loss of what else to check to see if I can fix this.
Any help or suggestions would be greatly appreciated. -
Why do you have a second pfSense in your VPC?
This is not necessary and as far as I know, AWS just supports IPsec with IKEv1.
I basically covered what you want to do in a post a few days ago: https://www.ceos3c.com/2017/04/24/site-to-site-vpn-between-pfsense-and-aws-vpc/
Maybe this can help you?
You over complicate things with the second virtual pfSense inside of AWS in my opinion. AWS has more than enough security measures in place that this is not needed.
Ceo