IPSEC to AWS not routing traffic

mkipp

Hello Everyone!

Today I set up a PFSense appliance in AWS. I Created a VPN tunnel in AWS and utilized the IPSec AWS wizard to bring the tunnel up on PFSense. Both AWS tunnels came up, however I can't ping from behind the PFSense to the other side of the tunnel. I can however ping from the PFSense to resources on the other side so I know the tunnel itself is passing traffic.

I have checked all the usual suspects. The routing tables in AWS all look correct. I have routes in all the relevant subnets pointing to the PFSense box for all traffic destined for the VPC on the other end. I have disabled the source/dest check on the AWS instance. It's also worth noting that the VPN tunnel is receiving the BGP routes from the PFSense as well.

I could be wrong but it appears as the traffic is getting sent out the WAN interface instead of IPSEC interface. When I start a ping to the remote side, and start a packet trace. I can only see the packets captured on the WAN interface. I have verified that the network I'm coming from is configured properly in the PHASE 2 setup. See packet capture below:

23:13:44.203908 0e:9b:46:e3:2a:bf > 0eb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 15184, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 105, length 64
23:13:45.211170 0e:9b:46:e3:2a:bf > 0eb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 37329, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 106, length 64
23:13:46.216240 0e:9b:46:e3:2a:bf > 0eb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 48068, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 107, length 64
23:13:47.218699 0e:9b:46:e3:2a:bf > 0eb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 51897, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 108, length 64
23:13:48.218753 0e:9b:46:e3:2a:bf > 0eb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 17271, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 109, length 64
23:13:49.218660 0e:9b:46:e3:2a:bf > 0eb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 30351, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.0.13 > 10.136.8.10: ICMP echo request, id 36982, seq 110, length 64
23:13:50.218767 0e:9b:46:e3:2a:bf > 0eb2:9e:7e:60, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 19853, offset 0, flags [none], proto ICMP (1), length 84)

I've also attached a picture of the phase 2 information as well as the rules.

Any ideas or suggestions welcome.

Thank you!

jkfp

Having a similar situation and wondering if you every resolved this, can't find much of any response or help for the issue on this forum. Established tunnel without issue to the AWS hosted PFSense from a sonic wall. Can watch the inbound pings hit the system but no progress from their or response.