IPsec with AWS VPC



  • I'm trying to set up a pfSense based on Netgate's AWS VPC. We want to use this pfSense as an IPsec tunnel endpoint for access to our VPCs on Amazon. Currently, we the following set up:

    AWS Site(A-Site):

    • VPC1 - subnet 192.168.1.0/28
    • VPC2 - subnet 10.0.2.0/24

    Inside of VPC1 we have two systems:

    • pfSense
    • WAN on DHCP, 192.168.1.6 - Peered to dedicated WAN IP (x.x.x.x for reference here)
    • Gateway set to 192.168.1.1
    • LAN on DHCP, 192.168.1.7
    • Ubuntu
    • LAN on DHCP, 192.168.1.13
    • Default gateway set to 192.168.1.1

    Inside of VPC2 we have a set of other systems, but are working primarily with one test machine:

    • Ubuntu
    • LAN on DHCP, 10.0.2.12

    In the VPC routing tables, we have set up communication between 192.168.1.0/28 and 10.0.2.0/24 via peering.

    Right now 192.168.1.0/28 can ping 10.0.2.0/24 and vice-versa without issue.

    On the remote site(R-Site):

    • pfSense
    • WAN - Dedicated WAN address (y.y.y.y for reference here)
    • LAN - 192.168.4.1
    • Ubuntu
    • LAN - 192.168.4.253

    These two sites are connected via an IPsec tunnel:

    • P1 (V1 key exchange)
    • Auth Method: Mutual PSK
    • Negotiation Mode: Main
    • My identifier:
    • R-Site: My IP address
    • A-Site: IP Address - x.x.x.x
    • Peer identifier: Peer IP address
    • Encryption: AES-256
    • Hash: SHA512
    • DH Group: 2
    • Lifetime: 28800
    • NAT Traversal: Auto
    • DPD: Enabled
    • P2 (10.0.2.0/24)
    • Mode: Tunnel IPv4
    • Local Network: LAN Subnet
    • Remote Network: 10.0.2.0/24
    • Protocol: ESP
    • Encryption: AES-256
    • Hash: SHA512
    • PFS keygroup: 2
    • Lifetime: 28800
    • P2 (192.168.1.0/28)
    • Mode: Tunnel IPv4
    • Local Network: LAN Subnet
    • Remote Network: 192.168.1.0/28
    • Protocol: ESP
    • Encryption: AES-256
    • Hash: SHA512
    • PFS keygroup: 2
    • Lifetime: 28800

    This results in a successful connection between R-Site and A-Site.

    | Description | Local ID | Local IP | Remote ID | Remote IP | Role | Reauth | Algo | Status |
    | R-Site IPsec | x.x.x.x | 192.168.1.6 NAT-T | y.y.y.y | y.y.y.y | IKEv1 initiator | 28073 seconds (07:47:53) | AES_CBC | ESTABLISHED |
    | | | | | | | | HMAC_SHA2_512_256 | 37 seconds (00:00:37) ago |
    | | | | | | | | PRF_HMAC_SHA2_512 | |
    | | | | | | | | MODP_1024 | |

    When the link is up, I can do the following:

    • Ping
    • R-Site 192.168.4.253 -> A-Site 192.168.1.7

    However, I can NOT ping 192.168.1.13 from 192.168.4.253

    When I do, I can see the packets cross the IPsec interface, and then see the packets on the LAN interface on A-Site pfSense. From there, the packets get lost.

    I don't see the packets hitting 192.168.1.13's interface.

    Similarly, when I try to ping 192.168.4.253 from 192.168.1.13, I don't see the packets enter 192.168.1.7's interface.

    On A-Site pfSense I created an entirely open LAN rule in the firewall rules
    I created an Outbound NAT rule:

    | Interface | Source | Source Port | Destination | Destination Port | NAT Address | NAT Port | Static Port |
    | 10.0.2.0/24 | * | * | 500 | WAN Address | * | Yes |
    | 10.0.2.0/24 | * | * | * | WAN Address | * | Any |
    | 192.168.1.0/24 | * | * | 500 | WAN Address | * | Yes |
    | 192.168.1.0/24 | * | * | * | WAN Address | * | Any |
    | 192.168.4.0/24 | * | * | 500 | WAN Address | * | Yes |
    | 192.168.4.0/24 | * | * | * | WAN Address | * | Any |

    On the AWS Side, my collegue sent this in to their support, but it didn't seem to be fruitful:
    The configuration for pfsense is as follows:
    the subnet is 192.168.1.0/28
    where pfsense server is
    route table is already created on this VPC
    192.168.1.0/28 -> local
    0.0.0.0/0 igw-34eb7652
    default is pointing to internet gateway
    VPC peering route is 10.0.0.0/16  pcx-9ba4cff2
    pfsense instance will have two network interfaces: WAN and LAN. The traffic from external/remote (to local aws instances) reaches over the public facing ENI (eni-48846983) over IPSec tunneling, and pfsense instance will extract the traffic reached over the tunnel will go through the rules and forward it to the local network over the LAN interface (eni-96f5c03a).  Traffic from local network (to external/remote) reaches the LAN interface (eni-96f5c03a, so we have configured the route to this interface) and instance will identify that the traffic is for remote and based on the rules it will forward it to the external/remote over IPSec tunneling through the WAN interface (public facing ENI -  eni-48846983).  This is the configuration we were using the existing setup which we wanted to move to AWS.

    What are we missing in this set up that is causing the traffic to not transfer from pfSense to the rest of the LAN, and vice-versa? The tunnel is clearly connected, so I know that we can to the pfSense at A-Site, so we're missing a peice in the environment that allows the pfSense to get to the rest of the network for traffic from the tunnel.