888.300.3118

This is a howto guide for establishing an IPSec VPN tunnel to an Amazon Virtual Private Cloud (VPC) using the pfSense 2.0 (RC1) open source router / firewall distribution. We will use Border Gateway Protocol (BGPv4) inside the tunnel, between the inside IP addresses, to exchange routes from the VPC to the example network using the OpenBGPD software package (available in the pfsense distribution as an add-on package).

pfSense AWS VPC IPsec Tunnel BGP Diagram

In this tutorial, we will be using the following example network topology for demonstration purposes (be sure to change the the RFC1918 WAN address space we show as 172.16.0.80/28 to your actual WAN, as well as the other LAN and AWS subnets to match your requirements):

Please be sure to make a backup of your entire pfSense configuration before proceeding, in the case you need restore a sane configuration.

Step #1: Deploy an Amazon VPC

Comprehensive instructions on setting up a Virtual Private Cloud on Amazon AWS can be found on the Getting Started Guide.

Although we will not cover all of the steps required for launching an Amazon VPC, you must choose an available external IP address on your pfSense gateway during the setup process. In this example, we are using 172.16.0.81 from our /28 WAN subnet.

In the setup process, you must define your internal address space for your VPC subnet, which will be associated with your VPC instances. After configuring the tunnel (presuming you have set this up using the AWS management Console), navigate to VPN Connection, highlight the connection you created, and select Download Configuration, choosing the generic vendor-agnostic configuration options.

You should also at this point create an instance in your new VPC and assign it an IP address within the VPC subnet you have defined, so at a later time you will be able to perform networking tests from hosts inside your pfSense VPN.

Another important step in this process is to ensure that there aren’t any blocking features set in the Security Group that has been associated with your VPC instance. The Networking ACLs, out of the box, are setup to Allow ALL.

We will over the other relevant settings required on the AWS side for networking later in this tutorial.

 

Step #2: Install Required Software

The next phase in our setup is to install the BGP daemon software from within the pfSense web UI. Navigate to System > Packages and install the OpenBGPD software. We will come back later to actually configure this software.

 

Step #3: Configure the Virtual IP Address Space on pfSense

We will need to create an IP alias of 169.254.255.2/30 for our Inside Address, so that we can communicate with our Amazon BGP peer (neighbor) at 169.254.255.1.

In the pfSense web UI, navigate to Firewall > Virtual IP’s, and select the plus button to add a new item. match the following configuration as shown in the image below and save:

pfSense Virtual IP

 

Step #4: Create a New Gateway and Static Route

The next step in the process is to configure a gateway on the pfSense WAN. This will be used for our static route to in communicating with our AWS BGP peer.

In the pfSense web UI, navigate to System > Routing, which will bring you to the Gateways tab. Set the following parameters as shown in the image below, adjusting the values for your particular deployment:

pfSense Amazon VPC BGP Gateway
After creating the new gateway and applying the changes, select the Routes tab, and replicate the following settings as shown below:

pfSense Amazon VPC BGP Route

pfSense will now be able to properly route the BGP traffic through our predefined Customer Gateway in our IPSec tunnel.

 

Step #5: Configure the pfSense IPSec VPN

We will now setup our IPSec VPN. From the pfSense web UI, navigate to VPN > IPSec, and select the plus button to create a new phase 1 entry. Copy the following settings shown below:

pfSense IPSec Tunnel

Save and apply these settings, and make sure to leave the tunnel disabled for now.

Create a new phase 2 entry by selecting the button as shown below:

pfSense Phase 2 Button Tunnel

This will reveal the list of associated phase 2 tunnels (currently empty). Select the plus button to create a new phase 2 entry as shown in the image below:

pfSense New IPSec Phase 2

Setup this tunnel with the local and remote subnets like so, ensuring that it is enabled before saving:

pfSense IPSec Phase 2 Tunnel 1

We will now create a second tunnel (repeating the process above), but this time declaring the local LAN subnet behind our pfSense router in the Local Subnet field, and the VPC subnet we wish to connect to:

pfSense IPSec Phase 2 Tunnel 2

 

Step #6: Configure OpenBGPD

Our configuration process is now ready for setting up our BGP daemon. Navigate to Services > OpenBGPD and configure the Settings tab as follows:

pfSense Services OpenBGPD

Next, setup a BGP group under the Group tab as shown below (make sure you reference the parameters provided in the VPC configuration you downloaded earlier):

pfSense Services OpenBGPD Group 2

Now we need to navigate to the Neighbors tab, and setup the parameters for our VPC peer:

pfSense Services OpenBGPD Neighbors 3

We are almost there…

Step #7: Setup IPSec Interface Firewall Rules

One important step in our initial setup phase is to create a rule on the IPSec interface in the Firewall > Rules dialog on the pfSense router. Ensure that you initial are allowing bidirectional traffic for all protocols on the IPSec interface.

pfSense IPSec Firewall Rules

 

Step #8: Finalize Settings and Enable IPSec VPN

One of our last steps before we enable our VPN is to browse back to the AWS Management Console and edit our VPC Route Tables.

To finalize our routes, we must setup:

  • Destination: <pfSense LAN Subnet> | Target: vgw-acbd1234
  • Destination: <VPC Subnet> | Target: local
  • Destination: <0.0.0.0/0> | Target: igw-abcd1234

Please verify that all of the above have the Status of active before proceeding.

The remainder of this guide will focus on bringing up our connections, and will aim to give you the tools and dialogs needed to troubleshoot any potential issues.

IPSec

Navigate back to VPN > IPSec from the pfSense web UI, and edit the IPSec phase 1 VPN you created. Uncheck Disable this phase 1 entry, then Save and Apply Changes.

At this point pfSense will enable the IPSec VPN.

You should now navigate to Status > IPSec in a new browser tab to monitor the status, Security Associations and logs. It may take some time for the connection to establish, depending on your pfSense system resources and network latencies, so have a bit of patience for the VPN to fully initialize.

When the two green icons appear under the Status menu (Status > IPSec > Overview), this will confirm that the VPN is up. Be sure to check the pfSense system logs if these both do not appear within a few minutes time.

OpenBGPD

Open another browser tab and navigate in the pfSense web UI to Services > OpenBGPD > Status. Here we are looking for a couple of things.

First we should look and see if we have established communications by viewing the OpenBGPD Summary section, and taking note of the Up/Down column. We can also view the system logs, under Status > System Logs where we should see the bgpd process log valid next hops.

Second, we you will want to check the OpenBGPD IP section to confirm that OpenBGPD is seeing the routes announced from the VPC (in this case, you should see 0.0.0.0/0 on one line AND your VPC subnet listed).

The OpenBGPD Neighbors section at this point should also be populated with statistics.

Test Networking to a VPC Running Instance

Presuming your pfSense deployment has been set to allow all traffic on the IPSec interface (and your LAN interface is set to allow egress ICMP traffic and SSH/TCP 22), from a host within your pfSense LAN, traceroute to the instance in the VPC. You should see something close to the following output:

If this stops at the 169.254.255.13 hop, you should verify that you have the correct settings in your VPC Route Table, as covered in the beginning section of this step. If the above traceroute succeeds, proceed with logging into the instance via SSH. Once logged in, you should perform the reverse networking tests from the instance to hosts in your pfSense LAN.

Once confirmation of bidirectional networking has been established, you should proceed with tightening down your security settings for allowing the minimums access controls needed.

Feel free to contact me with any questions or recommendations for revisions to this article.

Tagged with →  
Share →
Buffer

3 Responses to pfSense IPSec VPN Gateway + Amazon VPC + BGP Routing

  1. Loreto Puyod says:

    Dear SEATTLE IT,
    Thank for posting this wonderful guide easy to follow.
    I encounter some problem on this procedure of your. I think something is missing. I can only see 1 green icon on my IPsec. and i thing you need to create another Tunnel 2 and BGP for tunnel 2.. Here is my Ipsec log :racoon: [VPC]: INFO: IPsec-SA established: ESP 202.123.56.207[500]->72.21.209.193[500] spi=2464359132(0x92e322dc).

    On my Amazon VPC is say Phase 1 is connected but the VPN is down.

    • Gino says:

      Hi Loreto,

      A couple of things.. first, have you set the routes on the VPC Route Tables (on the AWS side, as described in Step #8)?

      Secondly, are you trying to use two IPSec tunnels (utilizing both redundant VPC VPN’s) and having problems. pertaining to running them at the same time?

  2. Loreto Puyod says:

    Hi Gino,
    Thanks to this wonderful site. I was able to establish two tunnels as required by AWS VPC type 3 . I was correct you just need to double your steps above. Now Im passing new problem. Our RODC located on Private subnet inside VPC cannot authenticate it self if Wanlink is down. I need a redundant VPN connection to our ISA Server. Do you have a link step procedure MS ISA + IPsec +Amazon VPC ?
    Thanks and more power to your Site.