PfSense virtual appliance in AWS connecting to client's Juniper IPSec



  • My infrastructure is hosted entirely in an AWS VPC.  I have both public (10.10.10.0/24) and private (10.10.23.0/24) subnets.  In the public subnet I have my webservers, AWS gateway and my pfSense virtual appliance. On my side in the pfSense I'm using 172.16.23.0/24 as a BINAT.  I have 3 AWS Security Groups (My-web, My-internal and My-vpn).  I have my AWS subnet set to use a route table that routes traffic destine for my client to the pfSense instance and the network acl has been set to allow all traffic inbound and outbound.

    My client has a private subnet of 10.158.159.0/24, 192.168.193.0/24 & 192.168.219.0/24.  We successfully configured the IPsec tunnel and the phase 1 and 3x phase 2 tunnels are online.  The trouble we're having is that my client cannot get to any servers on my side, and I can't get to any on his.

    My understanding is that since I'm using a BINAT, if he wanted to access 10.10.23.37, he should actually use 172.16.23.37.  He's tried and using nmap can't see any ports open.  Going the other way, I'm trying to access his 192.168.219.20 and I can't see any ports open when using nmap.

    If I look at the filter logs, I can see my nmap request come in destined for the IP on his side, but I don't see anything else.