Using pfSense as AWS VPC Gateway over VPN - RESOLVED
I am sure I am missing something simple, but I just cannot see it.
We have setup a VPC in AWS and a AWS VPN connection to a pfSense server. That's working great, we can ping and connect both sides of the VPN.
The final part is to make the pfSense server the gateway for the VPC. When we do that we can see in the state filter of the firewall what appears to be the traffic coming in over IPSec, getting natt'ed and then set out over the wan (See attached screenshot)
However in the case of that attachment which is a ping, the replies never seem to arrive back at the machine in the VPC.. eg it just times out, or web pages don't load.
Although if we are reading that right, the packet stats in the state filter shows the replies coming back as well (eg 2/2)
PfSense Wan: x.x.x.x (public ip), lan: 192.168.1.0/24
Firewall is allowing all traffic on the IPSec interface.
Machines in the VPC and LAN on the pfSense side can ping and connect, and LAN traffic can go out via pfSense correctly. It's just the VPC traffic that fails somewhere.
Any advice appreciated.
If it helps, here is a packet capture on the WAN interface for a ping from the VPC…
19:36:50.672594 IP 22.214.171.124xx > 126.96.36.199: ICMP echo request, id 15828, seq 425, length 40
19:36:50.674389 IP 188.8.131.52 > 184.108.40.206xx: ICMP echo reply, id 15828, seq 425, length 40
19:36:50.674426 IP 220.127.116.11 > 10.0.0.4: ICMP echo reply, id 1, seq 425, length 40
19:36:55.644569 IP 18.104.22.168xx > 22.214.171.124: ICMP echo request, id 15828, seq 426, length 40
19:36:55.646511 IP 126.96.36.199 > 188.8.131.52xx: ICMP echo reply, id 15828, seq 426, length 40
19:36:55.646545 IP 184.108.40.206 > 10.0.0.4: ICMP echo reply, id 1, seq 426, length 40
From that is seems to be showing the traffic getting sent back to the VPC.. but if I capture packets on the IPSEC interface:
19:39:46.771367 (authentic,confidential): SPI 0xcd5d6b92: IP 10.0.0.4 > 220.127.116.11: ICMP echo request, id 1, seq 429, length 40
19:39:51.643803 (authentic,confidential): SPI 0xcd5d6b92: IP 10.0.0.4 > 18.104.22.168: ICMP echo request, id 1, seq 430, length 40
They never show as coming back in ?
You need to set the local network in the phase 2 to be 0.0.0.0/0 not the LAN network or interface.