Routing through IPSEC works partially.

  • I hope one of the IPSEC and routing guru's can assist me with this problem.

    Here is what I have:

    pfSense FW is running as a VM, on a Mac with:

    WAN = em0 = x.y.z.240 (DHCP)
    LAN = em1 =

    I have an IPSEC tunnel working to Amazon AWS/EC2 VPC.

    Within the AWS VPC there is a subnet:

    Hosts from my VPC can route to and ping/access hosts that are on my private LAN 192.168.2.x

    The goal I am trying to achieve is to have the VPC hosts on subnet use my vpn gateway to route through my IPSEC tunnel, and then out my internet gateway on my home network.

    It seems I have a simple route issue on my end within pfSense, but try as I might, I cannot figure out what to enable or what rule to create to fix this.

    Hosts on my private lan can get out to the internet using my pfSense as the perimeter router.  They can also access the hosts in my VPC on  hosts use as the default gateway to get out to the internet.

    I need to have the VPC host come through my IPSEC tunnel and then go out my pfSense WAN to get to the internet the same way my private LAN hosts are doing.

    Any assistance would be greatly appreciated and sorry if I have posted this in the wrong forum area.  This is I think a routing issue, but through IPSEC.

  • @SeventhSon:

    Is this what you're trying to do:

    LOL… Yes.  I actually followed that tutorial to get to where I am.

    That tutorial is fantastic as it really does walk you through the process of setting up pfSense to work with Amazon VPC.  It does not however provide the information needed to allow hosts in the VPC subnet to route through the IPSEC tunnel, and then back out my pfSense to get to the internet.

    That said...  I have figured it out.

    The solution....

    After getting the IPSEC tunnel working as described in the tutorial... You need to modify the VPC route table in AWS.  You need to add a default route for and point the traffic to the AWS vpn gateway that is your IPSEC connection to AWS.  So  route to the vgw that was created.

    Next you need to make a slight change to the IPSEC configuration on the pfSense side.
    I had to change the second tunnel config to the following....
    tunnel ESP AES (128 bits) SHA1 is my VPC subnet.

    Once this change was made and the IPSEC tunnels were restarted...  I can now have traffic from hosts on the VPC subnet traverse my IPSEC tunnel and go out my internet gateway.

    This forum thread steered me in the right direction:

Log in to reply