Setup: IPSec VPN between Virtual PfSense Router and AWS managed VPN endpoint with static routing

This guide will assist you in launching a virtual PfSense router in AWS from the AWS Marketplace using PfSense and then configuring a site-to-site VPN with AWS VPN endpoints. Additional information on launching a virtual PfSense router in AWS can be found here.

Now, we will have a PfSense router and an instance behind it in one VPC, and then we will set up a second VPC with an instance where AWS VPN is configured.

1. VPC (with PfSence) CIDR 172.31.0.0/16 , you will have 3 subnets and 3 route tables.  They are described in detail below.

• Subnets: Management (172.31.0.0/24), Public (172.31.32.0/24), and Private (172.31.75.0/24)

• Route Tables: Management (0.0.0.0.0/0 to IGW), Public (0.0.0.0/0 to IGW), and Private (10.0.0.0/16 to Private ENI of PfSense) 

• eth0: 172.31.13.76 (ether1 in PfSense) - This is the Management interface (Security group allows access to SSH and HTTPS ports 22 and 443)

• eth1: 172.31.32.25 (ether2 in PfSense) - This is the Public interface (Security group allows all access from 172.31.0.0/16, 10.0.0.0/16 and 2 AWS VPN Endpoint IPs)

• eth2: 172.31.75.13 (ether3 in PfSense) - This is a Private interface (Security group allows all access from 172.31.0.0/16 and 10.0.0.0/16)

• Once the PfSense router is launched in AWS, please ensure that all interfaces are properly attached to the AWS instance. You may need to reboot the firewall and confirm that source/destination check is disabled on all three interfaces.  

2. Login into PfSense GUI using browser.

- In order to log in to the PfSense GUI, you need a username (default: admin) and a password. You can retrieve a temporary login password from an instance's userdata as shown below:

- Once you have the username and password, you can log in to the PfSense router using the management public IP at this URL https://35.167.207.82. After the initial login, it will prompt you to create a new password.

- To configure interfaces, go to Network > Interfaces > Ethernet. WAN and LAN interface IPs are automatically assigned. The following screenshot shows the interfaces. If the ENIs are properly attached to the EC2 instance, the Link State should turn green

3. VPC (with AWS VPN) CIDR 10.0.0.0/16, you will have 1 subnet and 1 route table.  They are described in detail below.

• Subnet: Dynamic (10.01.0/24)

• Route Table: Dynamic (172.31.0.0/16 to VGW) and (0.0.0.0/0 to IGW to allow access to backend instance in this VPC)

• Create a customer gateway by using Ether2 public IP of PfSence (EIP: 35.167.207.82)

• Create a Virtual Private Gateway and associate it with VPC

• Configure AWS Static VPN and download configuration for PFSense (GUI) and follow it to configure your VPN connection on the PfSense Router.

4.  Configure  IPSec VPN on PfSense firewall using Downloaded configuration file from AWS VPN console.

A. Phase-1 Proposal Configuration:  A Phase-1 proposal defines the IKE parameters for encryption, authentication, Diffie-Hellman, and lifetime.

B. IPSec Proposal Configuration:  An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, traffic selectors and rekey lifetime.

5. After configuring both phase-1 (IKE) and Phase-2 ( IPSec) parameters, you need to check connectivity between CGW and VGW public IPs:

6. Once, ICMP ping test between CGW and AWS public addresses are successful, you can go ahead and enable tunnel interface then trigger tunnel initiation as follows:

7. Bi-directional Connectivity test

Once VPN tunnel between PfSense and AWS came UP. Ran following connectivity tests:
- Ping test from AWS Instance to private instance behind PfSense in other VPC*:*

*-*Ping test from private instance behind PfSense to AWS: