2.2.4 IPSec connection to Amazon VPC up but can't ping

jwilson.clover

I've got the IPSec tunnel between my Amazon VPC and our PFSense router showing as up on both end, but if I try to ping an instance in the VPC, it goes nowhere.

I have two tunnels on the box - one to our remote DC on one IP and now this Amazon VPC one on a different WAN IP. I set the VPN connecton on Amazon to use static routing.

Any suggestions on what to check? Thanks.

Reiner030

Hi, I actually have same problem when setting up the firewall in test mode/VPN connection.

I found these "outdated" tutorials (because of no racoon implementation anymore) which looks fine:

with static routes:
http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/
with BGP routing:
https://www.seattleit.net/blog/pfsense-ipsec-vpn-gateway-amazon-vpc-bgp-routing/

and both IPSec tunnels itself are up… so
https://doc.pfsense.org/index.php/IPsec_Troubleshooting

didn't help much... ^^

When I checked tcpdump I think there must be a problem with the right IPSec interface to bind the tunnel / setup firewall rules.
here the main 3 repeating lines copied:

[2.2.4-RELEASE][root@pfSense.test]/root: tcpdump -i enc0 -n icmp or port bgp
20:42:22.791477 (authentic,confidential): SPI 0xcd87af1b: IP 169.254.237.33.53684 > 169.254.237.34.179: Flags [s], seq 1440180110, win 16384, options [mss 1387,sackOK,eol], length 0
20:47:15.591127 (authentic,confidential): SPI 0xcd87af1b: IP 169.254.237.37.52878 > 169.254.237.38.179: Flags [s], seq 2316540796, win 16384, options [mss 1387,sackOK,eol], length 0
20:51:09.621735 (authentic,confidential): SPI 0x155d9ef5: IP 192.168.1.1 > 172.31.0.1: ICMP echo request, id 56356, seq 0, length 64

I checked also https://192.168.1.1/diag_logs_filter.php on Interface "IpSec" and got both BGP request blocked like this line:

Aug 13 18:52:02	IPsec		169.254.237.37:62637	169.254.237.38:179	TCP:S

But even when I use the "Easy Rule: Pass this traffic" line the requests are still blocked... so there must be some other cause.

Sadly there seems no common updated howto setup IPSec for 2.2 or its not known by aunt Google / this forum search.
Perhaps someone knows a good one / link to helpful informations ? ;)

Bests[/s][/s]

Reiner030

Hi,

I think I found a bug which causes the problem…

When I tried to ping my tunnel ips - even my firewall didn't answered...

a) it can be a needed task to deactivate the private networks and perhaps also the bogus networks on WAN interface ?
( I hope not so)...

b) => the routing is buggy...

[2.2.4-RELEASE][root@pfSense.test]/root: route show 169.254.237.38
   route to: 169.254.237.38
destination: default
       mask: default
    gateway: 10.30.4.1
        fib: 0
  interface: em0
      flags: <up,gateway,done,static>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0 
[2.2.4-RELEASE][root@pfSense.test]/root: route show 169.254.237.37
   route to: 169.254.237.37
destination: default
       mask: default
    gateway: 10.30.4.1
        fib: 0
  interface: em0
      flags: <up,gateway,done,static>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0</up,gateway,done,static></up,gateway,done,static>

=> I removed the static routes and the gateway and tried to setup them again

==> When I setup the IPSec Gateway with my WAN Interface IP it supersedes everytime the WAN_DHCP Interface … not so nice. And I guess this is here the problem...

I tried to switch from IP Alias to CARP IP but same problem.

==> next small bug: when I switched the 2nd IP to CARP the VHID Group was not autoselected as "2" like in older pfSense versions.

Is there an easy workaround (like downgrade to version ... ?) ;)

Reiner030

Hello,

now its up ;)

@breakaway:

I have found the fix.

Had to enable "Clear invalid DF bits instead of dropping the packets" in System > Advanced > Firewall/NAT.

https://techlib.barracuda.com/display/bngv54/how+to+configure+an+ipsec+vpn+to+an+aws+vpn+gateway+with+bgp
has also the "Clear DF bit" set and also mentioned (as also in AWS generic vpn config file written) that the MSS clamp should be 1387 bits …
This can be set in "Advanced Settings" Tab of IPSec configuration.

The tunnels where accidently switched (phase1/phase2) ...
Therefore I saw in tcpdump both sides pinging/trying to connect but get no response each because the logical tunnel could there not differentiated when diagnosing it.
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel#Configure_outbound_NAT
I needed also to use the Outbound NAT (setting in 2.2.4 it to mode "Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)" )

To use also routing from pfSense host to AWS (and not only from LANs) there is additional Outbound NAT rule needed from Any to VPC network with mask onto IPSec interface - otherwise the firewall tries to route over WAN interface directly.

Perhaps this can help you too ?

spetnik

@Reiner030:

To use also routing from pfSense host to AWS (and not only from LANs) there is additional Outbound NAT rule needed from Any to VPC network with mask onto IPSec interface - otherwise the firewall tries to route over WAN interface directly.

Perhaps this can help you too ?

(I hope it's okay to dig this post back up)

Are you saying to create an outbound NAT rule on the IPsec interface with the source as "any" and the destination as the VPC network? Because I did this and when I try to traceroute from pfSense to a VPC IP it tries sending it out to my WAN (PPPOE) gateway. My setup follows these instructions: https://www.seattleit.net/blog/pfsense-ipsec-vpn-gateway-amazon-vpc-bgp-routing/ - I also tried https://fattylewis.com/amazon-aws-vpc-vpn-with-bgp-an-pfsense/ (my AWS support rep suggested that) and I had the same issue. I also had tried it with static routing but still, no juice.