Site to site VPN between pfSense (physical machine) and AWS VPC using AWS VPN

lopezi · Nov 18, 2015, 2:28 AM

To any one that can help,

My pfSense machine is as follows:

pfSense v2.2.5-RELEASE(i386)
AMD Athlon XP 2700+ 2GB RAM
WAN NIC Intel based 10/100
LAN NIC 3COM 3C905 10/100

In any event, I am trying to establish an IP Sec site to site VPN with an AWS VPC utilizing Amazon's AWS VPN functionality. They just recently upgraded their offering to include AES-256 encryption and SHA-256 hash for Phase 1 and Phase 2.

More information can be found here on the AWS VPN: https://aws.amazon.com/blogs/aws/ec2-vpc-vpn-update-nat-traversal-additional-encryption-options-and-more/

I can get the tunnel to come up and I can successfully have traffic (ping, traceroute, RDP to AWS instance etc.) go across the tunnel (from both sides) but only if I set my Phase 2 settings with AES-256 encryption and SHA-1 hash. If I try setting Phase 2 with AES-256 encryption and SHA-256 hash, the tunnel comes up but I cannot get any traffic across it. I am baffled by this. I have contacted AWS support but they haven't been able to offer any insights. They did try re-creating my set up somewhat (they used some instance running StrongsWan albeit not a pFsense instance however) and they indicated that they were able to bring up the tunnel and have traffic go across when they set their Phase 2 to AES-256/SHA-256.

Knowing that I can get the tunnel up and traffic going across with AES-256/SHA-1 Phase 2, I'm puzzled as to why AES-256/SHA-256 Phase 2 brings the tunnel up but no traffic can go across. Mind you all other settings on my pfSense box stay the same, the only change is the hash for Phase 2 (SHA-1 vs. SHA-256).

Can anyone help me in troubleshooting?

My IPSec settings are as follows:

Phase 1:

IKEv1 as the Key Exchange
IPv4
XX.X.XXX.XX (substitute with the tunnel IP) as the remote gateway (as seen from my end)
"Mutual PSK" as the authentication method
"Main" as the negotiation mode
the Pre-Shared Key as viewed from the AWS "Download Configuration" file for Tunnel 1
AES-256 Encryption
SHA-256 Hash
DH group 2
Lifetime of 28800
DPD of 10 seconds, 3 retries

Phase 2:

Mode, Tunnel IPv4
Local network, 192.168.1.0/24
Remote network, 10.0.0.0/16
"ESP" protocol
AES-256 encryption
SHA-1 hash option can be chosen (what seems to works to get a tunnel and traffic)
SHA-256 hash option can be chosen (does not work to get traffic across the tunnel that comes up, additionally SHA-1 is not chosen when SHA-256 is chosen)
PFS key group 2
Lifetime 3600
auto ping host 10.0.0.245

Other options:

MSS 1387 bytes

Additionally, I verified the AWS routing/security group information:

the static routes on the VPN connection itself (vpn-XXXXXXXX) (192.168.1.0/24)
route propogation is enabled on the route table (for vgw-XXXXXXXX) and I see the route listed under the routes tab (rtb-XXXXXXXX)
the security group for the VPC has been updated to allow the IP address range access (192.168.1.0/24)

Thanks,
Ivan

lopezi · Nov 23, 2015, 1:25 PM

Just wondering if anyone had any hints/ideas? Anything you could point me to review/look at? I've looked at the ipsec logs and the ipsec conf and the settings appear to be correct and the logs do not contain any errors. I don't mind rolling up my sleeves a bit but just need a nudge in the right direction.

granth · Dec 16, 2015, 9:44 PM

It won't work. I beat my head against the wall for months trying to get it to work. I even had a support engineer from AWS helping and we concluded that it's just not possible.

Bottom line:
AWS uses a route-based IPsec VPN, while pfSense uses a policy-based IPsec VPN. Unfortunately, they're not compatible.

lopezi · Dec 18, 2015, 1:27 AM

I actually have it working but only if I use AES256/SHA-1 for my Phase 2 entries, the tunnel comes up and traffic goes across. However, when I try AES256/SHA-256 for Phase 2, the tunnel comes up but no traffic goes across.

I'd like to troubleshoot further but I'm at a disadvantage of where to dive in further. The logs do not indicate any errors so I don't know what else the issue may be.

The AWS support person I was in contact with said they have had Strongswan IPSec based devices connect fine.

I don't know if it's something in the pfSense Strongswan implementation or not, nor do I know where I'd dive in to determine that either.

Just hoping someone might have some insights.

Thanks again.

granth · Dec 18, 2015, 9:16 PM

I'm guessing you only have a single phase 2. I had a single p2 working, but multiple simultaneous phase 2's would not.

lopezi · Jan 2, 2016, 5:45 PM

@granth:

I'm guessing you only have a single phase 2. I had a single p2 working, but multiple simultaneous phase 2's would not.

Yes, just a single phase 2

lopezi · Jan 2, 2016, 5:48 PM

I've tried again with the latest update to pfSense 2.2.6 which brought in some updates to strongSwan.

I still experience the same issue, cannot use SHA-256 hash but SHA-1 is fine for phase 2.

I still do not know where further to dig into to try and unravel this issue.

lopezi · Jun 12, 2016, 2:47 PM

Just wanted to circle back on this issue, I've since upgraded to pfSense 2.3.1 on the same hardware config. I've tried switching to SHA-256 hash option for my Phase 2 and can now say that it works. I'm not sure what in particular has changed in strongswan between 2.2.6 and 2.3.1 that is allowing for it to now work but it does.