Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC to AWS not routing traffic

    IPsec
    2
    2
    394
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mkipp last edited by

      Hello Everyone!

      Today I set up a PFSense appliance in AWS. I Created a VPN tunnel in AWS and utilized the IPSec AWS wizard to bring the tunnel up on PFSense. Both AWS tunnels came up, however I can't ping from behind the PFSense to the other side of the tunnel. I can however ping from the PFSense to resources on the other side so I know the tunnel itself is passing traffic.

      I have checked all the usual suspects. The routing tables in AWS all look correct. I have routes in all the relevant subnets pointing to the PFSense box for all traffic destined for the VPC on the other end. I have disabled the source/dest check on the AWS instance. It's also worth noting that the VPN tunnel is receiving the BGP routes from the PFSense as well.

      I could be wrong but it appears as the traffic is getting sent out the WAN interface instead of IPSEC interface. When I start a ping to the remote side, and start a packet trace. I can only see the packets captured on the WAN interface. I have verified that the network I'm coming from is configured properly in the PHASE 2 setup. See packet capture below:

      23:13:44.203908 0e:9b:46:e3:2a:bf > 0e๐Ÿ†Žb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 15184, offset 0, flags [none], proto ICMP (1), length 84)
      ย  ย  10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 105, length 64
      23:13:45.211170 0e:9b:46:e3:2a:bf > 0e๐Ÿ†Žb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 37329, offset 0, flags [none], proto ICMP (1), length 84)
      ย  ย  10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 106, length 64
      23:13:46.216240 0e:9b:46:e3:2a:bf > 0e๐Ÿ†Žb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 48068, offset 0, flags [none], proto ICMP (1), length 84)
      ย  ย  10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 107, length 64
      23:13:47.218699 0e:9b:46:e3:2a:bf > 0e๐Ÿ†Žb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 51897, offset 0, flags [none], proto ICMP (1), length 84)
      ย  ย  10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 108, length 64
      23:13:48.218753 0e:9b:46:e3:2a:bf > 0e๐Ÿ†Žb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 17271, offset 0, flags [none], proto ICMP (1), length 84)
      ย  ย  10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 109, length 64
      23:13:49.218660 0e:9b:46:e3:2a:bf > 0e๐Ÿ†Žb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 30351, offset 0, flags [none], proto ICMP (1), length 84)
      ย  ย  10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 110, length 64
      23:13:50.218767 0e:9b:46:e3:2a:bf > 0e๐Ÿ†Žb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 19853, offset 0, flags [none], proto ICMP (1), length 84)

      I've also attached a picture of the phase 2 information as well as the rules.

      Any ideas or suggestions welcome.

      Thank you!



      1 Reply Last reply Reply Quote 0
      • J
        jkfp last edited by

        Having a similar situation and wondering if you every resolved this, can't find much of any response or help for the issue on this forum. Established tunnel without issue to the AWS hosted PFSense from a sonic wall. Can watch the inbound pings hit the system but no progress from their or response.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post