Interesting article - VPN between pfSense and Amazon VPC



  • I'm not sure I understand all of this but it looks interesting…  ???

    http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/

    How to create a Site-to-site VPN between pfSense and Amazon VPC using Virtual Private Gateway feature.


  • Rebel Alliance Developer Netgate

    They must have added/changed something on the VPC side, since I've never seen one be that easy.

    The BGP method discussed here is a bit complex but works, and the "static route" method is slightly simpler but still fairly complicated.

    It may be that the similar BGP and static methods are capable of redundancy, while this one is only a single tunnel. Hard to say though.

    If it works, great. :-)



  • Hi stan-qaz and Jimp!

    It works perfectly and it is quite stable :) I used both BGP one and now using static route.

    One of the customers here asked to so as simple as possible as they don't know that much about routing, etc. So, that feature is not so new in Amazon VPC and I also have another one working with Cisco ASA and Amazon VPC.

    Hope you guys enjoy that.

    Stan,

    Can I help you with anything you could not understand properly? Leave a comment there and I will be grateful to help :)

    Cheers!



  • Nice work Heitor, thanks for sharing.

    What types of redundancy does the "BGP version" offer over the "static route version" ?



  • Thanks once again :)

    In this case, redundancy is offered equally for both BGP and non-BGP VPNs as they offer a second tunnel that can be used for failover.

    The main difference is only about routing, but concerning redundancy you will end up having the same scenario.

    Out of curiosity, this feature was added last year and some information regarding list of devices (firewall/routers) they have tested follow below:

    http://aws.typepad.com/aws/2012/09/amazon-vpc-additional-vpn-features.html



  • Hi guys,

    Heitor's tutorial was very good and I got the VPN IPSec Tunnel working well…

    Now I want to set up redundancy on this connection with the same pfSense using the second VPN Tunnel that is created for each VPN Connection.

    In my pfSense Config I have two WAN ports with two ISP, so I would like to keep both Tunnel connected for Load Balance, and also fail over...

    Someone already did this configuration?

    Thanks in advance!


  • Rebel Alliance Developer Netgate

    @bpancica:

    Hi guys,

    Heitor's tutorial was very good and I got the VPN IPSec Tunnel working well…

    Now I want to set up redundancy on this connection with the same pfSense using the second VPN Tunnel that is created for each VPN Connection.

    In my pfSense Config I have two WAN ports with two ISP, so I would like to keep both Tunnel connected for Load Balance, and also fail over...

    Someone already did this configuration?

    Thanks in advance!

    There is no automatic way to do that in a stock pfSense image. Because the Phase 2 entries for both tunnels overlap, they cannot both be used/active at the same time. You would have to manually disable one and enable the other.



  • Hi, i have a problems to communicate with my host in the VPC site, i need add a manual route in my host??

    @Heitor:

    Hi stan-qaz and Jimp!

    It works perfectly and it is quite stable :) I used both BGP one and now using static route.

    One of the customers here asked to so as simple as possible as they don't know that much about routing, etc. So, that feature is not so new in Amazon VPC and I also have another one working with Cisco ASA and Amazon VPC.

    Hope you guys enjoy that.

    Stan,

    Can I help you with anything you could not understand properly? Leave a comment there and I will be grateful to help :)

    Cheers!





  • @jimp:

    They must have added/changed something on the VPC side, since I've never seen one be that easy.

    they didn't, but we did (in 2.1.5)  8)


Log in to reply