Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    XG-7100 Site-to-Site IPSec AWS VPC VPN: Cannot Ping Private Subnet EC2 Host

    IPsec
    1
    2
    419
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nu2pfsense
      last edited by nu2pfsense

      I used the pfSense AWS VPC Wizard to set up a site-to-site IPSec VPN connection between my netgate XG-7100 and an AWS VPC. The XG-7100 (Status -> IPSec -> Overview page) shows the two IPSec tunnels as ESTABLISHED (green), and I can successfully ping from the inside tunnel address to the VPC side of the tunnel per Testing Connectivity.

      However, I cannot ping an EC2 host (private IP: 192.168.26.86) in a private subnet of the VPC from the XG-7100. What am I missing to make this work? Thank you in advance!


      Network Setup:

      • ASUS AC1300 wi-fi router (10.0.0.1/24)
        • PC A (IP: 10.0.0.107)
        • netgate XG-7100 (WAN IP: 10.0.0.20, LAN: 172.16.0.1/24)
          • PC B (IP: 172.16.0.12)
      • Site-to-site VPN: BP-enabled
      • AWS VPC (192.168.0.0/16):
        • Private subnet (192.168.0.0/19)
          • EC2 host (private IP: 192.168.26.86) - security group inbound rule allows all IPv4 ICMP traffic
        • Public subnet (192.168.32.0/19)

      XG-7100 Firewall Rules: LAN

      • Allows IPv4 ICMP traffic:
        XG-7100_Firewall_Rules_LAN.png

      XG-7100 Virtual IPs
      XG-7100_Firewall_Virtual_IPs.png

      I can ping from inside tunnel address to the VPC side of tunnel (used XG-7100 Diagnostics -> Ping):

      PING 169.254.110.85 (169.254.110.85) from 169.254.110.86: 56 data bytes
      64 bytes from 169.254.110.85: icmp_seq=0 ttl=254 time=12.093 ms
      64 bytes from 169.254.110.85: icmp_seq=1 ttl=254 time=11.960 ms
      64 bytes from 169.254.110.85: icmp_seq=2 ttl=254 time=11.903 ms
      
      --- 169.254.110.85 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 11.903/11.985/12.093/0.080 ms
      
      PING 169.254.218.181 (169.254.218.181) from 169.254.218.182: 56 data bytes
      64 bytes from 169.254.218.181: icmp_seq=0 ttl=254 time=12.180 ms
      64 bytes from 169.254.218.181: icmp_seq=1 ttl=254 time=12.012 ms
      64 bytes from 169.254.218.181: icmp_seq=2 ttl=254 time=12.024 ms
      
      --- 169.254.218.181 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 12.012/12.072/12.180/0.077 ms
      
      1 Reply Last reply Reply Quote 0
      • N
        nu2pfsense
        last edited by

        Courtesy of AWS support this issue was due to the following:

        • I selected BGP routing in the pfSense AWS VPC Wizard
        • IPSEc tunnels were ESTABLISHED (UP), but BGP was stuck in 'Connect' state and hence "DOWN"
        • The peer-proposal SA was created as : 172.16.0.0/24 --> 192.168.0.0/16 which implies that both the tunnels were configured as 'Policy based' VPN. This also implies that BGP was not configured on the XG-7100 device for the VPN (because BGP is 'Route'-based VPN always).

        They suggested the following resolutions:

        • Recreate the VPN in the AWS Console using "Static" routing instead of "Dynamic"
        • Configure BGP as per 'Download configuration' on the customer gateway device [Note: I expected the AWS VPC Wizard to do this for me]

        I deleted the resources and started the pfSense AWS VPC Wizard from scratch, selecting Static routing instead, and this time it succeeded and enabled me to ping the EC2 host in the private subnet from the XG-7100.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.