This manual cover the case of creating a IPSec VPN between a PFSense located inside a local network (in an office for example) and a VPC inside Amazon AWS, allowing the access of the resources in both sides transparently.
The following address are only for this manual, substitute them for your particular case:
Office LAN: 192.168.0.0/16
Office public IP: 203.0.113.1
Amazon VPC Net: 172.16.0.0/16 | my_vpc
Create Customer Gateway
Start in AWS by creating a Customer Gateway. The routing can be dynamic, but as BGP is not going to be used, routing static must be select. For that reason, its neccesary to add a custom route to the Route Tables directly (later covered):
Name Tag: test5
IP Address: 203.0.113.1
Create Virtual Private Gateways
Simply create a Virtual Private Gateway, VPG, and attach it to the target VPC.
Name Tag: test5
Attached to: 172.16.0.0/16 | my_vpc
Create VPN Connection
Now, create the VPN Connection joining all the things that were created before. After that, under Tunnel Details tab, there is two tunnels, we only use the first one, it have the Amazon AWS public IP for connect the IPSec VPN. Under Static Routes tab there is a route for our office network.
Name Tag: test5
Virtual Private Gateway: vgw-xxxx | test5
Customer Gateway: Existing
cgw-xxxx (203.0.113.1) | test5
Routing Options: Static
Static IP Prefixes: 192.168.0.0/16
Download the configuration. Mainly for know the Pre-Shared Key, the other parameters for PFsense are usually the same for all.
Software: Vendor Agnostic
Open the file and copy the Pre-Shared Key for later use:
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : AoLmjz_XLnktHkZxfSdm_69wJN11OqIuf9
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
Add custom route to Route Tables
This step is more dependent of your particular VPC subnets and route tables configuration, but essentially, its neccesary to add a route entry for send the traffic from your AWS subnet to your Office LAN trought the Virtual Gateway.
Target: vgw-xxxxx | test5
Our office PFSense have two networks, one WAN interface, in this case behind a NAT but can be directly connected to internet with a public routable IP, and an other interface connected to the LAN.
Start with creating a IPSec VPN
Bring up the Phase 1 with the particular values, from the screen capture, usually only change the Remote Gateway and the Pre-Shared Key.
Key Exchange Version: V1
Internet Protocol: IPv4
Remote Gateway: 18.104.22.168
Description: VPC VPN
Authentication Method: Mutual PSK
Negotiation Mode: Main
My identifier: My IP address
Peer identifier: Peer IP address
Pre-Shared Key: AoLmjz_XLnktHkZxfSdm_69wJN11OqIuf9
Encryptation algorithm: AES 128 bits
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800 seconds
Nat Transversal: Auto
Dead Peer Detection: Enable DPD
Continue bringing up the Phase 2 with the particular values, from the screen capture, usually only change the Remote Network. For keep the tunnel up when there aren’t any traffic, add the IP of a AWS host in the “Automatically ping host” section.
Change Local Network to other different than “LAN subnet” if your local network is different, or greater, than the LAN connected to the interface.
Mode: Tunnel IPv4
Local Network: LAN subnet
Remote Network: 172.16.0.0/16
Encryption algorithms: AES 128 bits
Hash algorithms: SHA1
PFS key group: 2 (1024 bit)
Automatically ping host: ?
Define in VPN: IPsec: Settings “Maximum MSS” for avoid inexplicable failures. Tick “Enable MSS clamping on VPN traffic” and set 1387 in the box.
Finally, if all went well, must be something like this:
It’s necessary a firewall rule for allow IPSec traffic.
In case of your local network is different, or greater, than the LAN connected to the interface, add an other rule to allow all traffic under LAN tab.
In the Amazon AWS side, the Status of VPN Connection must be changed from DOWN to UP:
Try to ping host from one side to the other, with the VPN stablished and if there aren’t any other particular network configuration, there sould not be any issue.
I hope it has been helpful…
- You can configure the Tunnel 2 in the same PFSense, but don’t use the same public IP. For each IPSec tunnel, use a different public IP.