• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using pfSense as AWS VPC Gateway over VPN - RESOLVED

Scheduled Pinned Locked Moved IPsec
3 Posts 1 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mikepb
    last edited by Jan 7, 2018, 2:30 PM Jan 5, 2018, 9:28 PM

    Hi,

    I am sure I am missing something simple, but I just cannot see it.

    We have setup a VPC in AWS and a AWS VPN connection to a pfSense server. That's working great, we can ping and connect both sides of the VPN.

    The final part is to make the pfSense server the gateway for the VPC. When we do that we can see in the state filter of the firewall what appears to be the traffic coming in over IPSec, getting natt'ed and then set out over the wan (See attached screenshot)

    However in the case of that attachment which is a ping, the replies never seem to arrive back at the machine in the VPC.. eg it just times out, or web pages don't load.

    Although if we are reading that right, the packet stats in the state filter shows the replies coming back as well (eg 2/2)

    Network details:
    VPC: 10.0.0.0/24
    PfSense Wan: x.x.x.x (public ip), lan: 192.168.1.0/24

    Firewall is allowing all traffic on the IPSec interface.

    Machines in the VPC and LAN on the pfSense side can ping and connect, and LAN traffic can go out via pfSense correctly. It's just the VPC traffic that fails somewhere.

    Any advice appreciated.

    Thanks

    state_filter.png
    state_filter.png_thumb

    1 Reply Last reply Reply Quote 0
    • M
      mikepb
      last edited by Jan 6, 2018, 12:40 AM

      If it helps, here is a packet capture on the WAN interface for a ping from the VPC…

      19:36:50.672594 IP 104.156.225.1xx > 8.8.8.8: ICMP echo request, id 15828, seq 425, length 40
      19:36:50.674389 IP 8.8.8.8 > 104.156.225.1xx: ICMP echo reply, id 15828, seq 425, length 40
      19:36:50.674426 IP 8.8.8.8 > 10.0.0.4: ICMP echo reply, id 1, seq 425, length 40
      19:36:55.644569 IP 104.156.225.1xx > 8.8.8.8: ICMP echo request, id 15828, seq 426, length 40
      19:36:55.646511 IP 8.8.8.8 > 104.156.225.1xx: ICMP echo reply, id 15828, seq 426, length 40
      19:36:55.646545 IP 8.8.8.8 > 10.0.0.4: ICMP echo reply, id 1, seq 426, length 40

      From that is seems to be showing the traffic getting sent back to the VPC.. but if I capture packets on the IPSEC interface:

      19:39:46.771367 (authentic,confidential): SPI 0xcd5d6b92: IP 10.0.0.4 > 8.8.8.8: ICMP echo request, id 1, seq 429, length 40
      19:39:51.643803 (authentic,confidential): SPI 0xcd5d6b92: IP 10.0.0.4 > 8.8.8.8: ICMP echo request, id 1, seq 430, length 40

      They never show as coming back in ?

      1 Reply Last reply Reply Quote 0
      • M
        mikepb
        last edited by Jan 7, 2018, 2:29 PM

        Found it!

        You need to set the local network in the phase 2 to be 0.0.0.0/0 not the LAN network or interface.

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received