How do I set up an IPsec VPN between a virtual pfSense router and an AWS managed VPN endpoint with static routing?

4 minute read
0

I want to use static routing to configure an AWS Site-to-Site VPN connection with a pfSense router.

Resolution

Prerequisites:

  • Configure an Amazon Virtual Private Cloud (Amazon VPC) CIDR that's associated with a virtual private gateway. Or, attach the Amazon VPC to a transit gateway.
  • Make sure that the Amazon VPC CIDR doesn't overlap with the on-premises network CIDR.

Create an AWS Site-to-Site VPN

To use static routing to create an AWS Site-to-Site VPN with a pfSense router, complete the following steps:

  1. To configure the AWS side of the VPN connection, complete steps 1 through 5 in Getting started with AWS Site-to-Site VPN.
    Note: Select the routing option as static in step 5.
  2. Open the Amazon VPC console, and then navigate to Site-to-VPN connections.
  3. Select your VPN connection, and then download the example configuration file for the router.
    Note: Use this example file to configure the AWS Site-to-Site VPN on the router.
  4. Log in to the pfSense router from your browser:
    In your browser's URL, enter the management IP address of the pfSense router.
    When the login page appears, enter the username and password.

Configure the phase 1 proposal parameters

Configure the phase 1 proposal or the Internet Key Exchange (IKE) proposal parameters. A phase 1 proposal defines the IKE parameters for encryption, authentication, Diffie-Hellman group, and lifetime.

To configure the phase 1 parameters, complete the following steps:

  1. Go to VPN, and then choose IPsec.
  2. Choose Tunnels, select Add P1, and then enter the following details:
    Under General Information, for Description, enter a description. For example, enter "AWS Tunnel 1."
  3. Under IKE Endpoint Configuration, enter the following information:
    For Key Exchange Version, select IKEv1 or IKEv2.
    For Internet Protocol, select IPv4.
    For Interface, enter the outside interface of pfSense router.
    For Remote Gateway, enter the Public IP address of AWS Tunnel.
  4. Under Phase 1 Proposal (Authentication), enter the following information:
    For Authentication Method, enter PSK.
    For Negotiation Mode, choose Main.
    For My Identifier, enter the public IP address of the pfSense.
    For Pre-shared Key, enter the pre-shared key from the example configuration file.
  5. Under Phase 1 Proposal (Encryption Algorithm), select the Encryption algorithm, Key length, Hashing algorithm, and Diffie-Hellman group.
  6. Under Expiration and Replacement, for Lifetime, enter 28800 secs (8 hours).
  7. Under Advanced Options, turn on DPD, and then enter the following information:
    For Delay, enter 10 sec.
    For Max Failures, enter 3.
  8. Choose Save.

Configure the phase 2 proposal parameters

Configure the phase 2 proposal or the IPsec proposal for the tunnel. A phase 2 proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman group, and lifetime.

To configure the phase 2 proposal, complete the following steps:

  1. Go to VPN, and then choose IPsec.
  2. Choose Tunnels, select Add P2, and then enter the following details:
    Under General Information, for Description, enter a description. For example, enter "AWS Tunnel 1_Phase2."
  3. Under Networks, enter the following information:
    For Local Network, enter the private CIDR on the on-premises network.
    For Remote Network, enter the Amazon VPC CIDR.
  4. For phase 2 Proposal (SA/Key Exchange), select the Encryption algorithm, Key length, Hashing algorithm, and Diffie-Hellman group.
  5. Under Expiration and Replacement, for Lifetime, enter 3600 secs (1 hour).
    (Optional) For KeepAlive, enter the specific private IP address across the tunnel to keep phase 2 active.

Activate the tunnel interface

To turn on the tunnel interface, complete the following steps:

  1. Go to VPN, and then choose IPsec.
  2. Choose Tunnels.
  3. Select the Disable toggle button on the tunnel that you created.

Start the tunnel initiation process

To start the tunnel initiation process, complete the following steps:

  1. Go to the Status dropdown list, and then choose IPsec.
  2. Choose Overview.
  3. Find AWS Tunnel 1. Note that it shows a Disconnected status.
  4. For Disconnected State, select the Connect P1 and P2 option to initiate the tunnel negotiations.
    Note: When the tunnel negotiations complete, the AWS Tunnel status changes to Established.

Related information

Tunnel options for your Site-to-Site VPN connection

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
1 Comment

If your PfSense also uses an internal IP and this is seen during Phase 1 negotiations during the change from port 500 to 4500, and you are receiving an 'received AUTHENTICATION_FAILED notify error' on the AWS side, make the following change in the PfSense:

In the Phase 1 Proposal (Authentication) section, change My identifier from 'My Ip address' to 'IP address' and input the public IP of the PfSense.

replied 8 months ago