AWS VPC pfSense IPSec setup



  • Hi,

    I'm trying to setup ipsec tunnel with a remote customer using pfSense instance in AWS VPC. Phase 1 and Phase 2 tunnels are up, but I'm unable to sent traffic over the VPN. Does anyone have experience with this setup?

    Thanks


  • Netgate

    We have the VPC wizard in the 'factory' image.  This ships on all systems from the pfSense project.

    I have no plans to put the VPC wizard in the community image.



  • I've set up working IPSec VPN's from pfSense instances running in AWS.

    How are you determining that traffic isn't being sent over the VPN? Have you run a packet capture on the enc0 interface? Or are trying to ping (or connect in some other fashion) to a host on the other end of the tunnel and not seeing a response?



  • Hi,

    I'm doing a tcpdump. Below is the output.

    tcpdump -i enc0 -n host 172.17.105.30
    tcpdump: WARNING: enc0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
    capability mode sandbox enabled
    14:19:37.283197 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 45, length 64
    14:19:38.322525 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 46, length 64
    14:19:39.326262 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 47, length 64
    14:19:40.336486 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 48, length 64
    14:19:41.346257 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 49, length 64
    14:19:42.356650 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 50, length 64
    14:19:43.366639 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 51, length 64
    14:19:44.376240 (authentic,confidential): SPI 0xe0ce2c2e: IP 10.0.0.24 > 172.17.105.30: ICMP echo request, id 16705, seq 52, length 64



  • ipsec status gives the following output:

    Security Associations (1 up, 0 connecting):
        con2000[10]: ESTABLISHED 29 minutes ago, 10.0.0.24[x.x.x.x]…x.x.x.x[x.x.x.x]
        con2000{10}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c215ff0f_i e0ce2c2e_o
        con2000{10}:  10.0.0.0/24|/0 === 172.17.105.30/32|/0

    Any ideas?



  • You packet capture looks like you are sending packets over the VPN and you're just not seeing anything come back. You might want to check the other end of the tunnel and see if it looks like the traffic is arriving there.



  • Ensure that you have put in static routes in AWS VPC for the network on pfSense. Ensure that they have propagated into your routing table on AWS. Check that your Network ACLs and Security Groups allow traffic from the pfSense network to your AWS subnets. Check that the AWS instances don't have a firewall configured that blocks your traffic too.


Log in to reply