Vpn tunnel to Amazon VPC with pfsense

amazon-vpcipsecpfsensetunnelingvpn

I'm trying to create an ipsec tunnel between my office and our Amazon VPC. However I have never used ipsec before so I'm at lost.

The gateway/firewall is running pfsense 2.1.3-RELEASE (i386) on FreeBSD 8.3-RELEASE-p16.

The office networks uses 192.168.1.0/24 and 192.168.2.0/24 (OpenVPN clients). The VPC uses 10.0.0.0/24. The VPC gateway uses static routes.

I've tried to read up on how to create the tunnels on diffrent guides but get mostly confused on how ipsec works, or the guide is for a different version of pfsense/aws and since I'm lacking understanding i have a hard time translating it. Some guides talks about virtual ip's and some don't and so on.

So I humbly ask if anyone here could create a step by step guide for me to create the tunnnels in pfsense and perhaps try to explain abit how things works.

This is the configuration guide i've got from Amazon (with credentials and office ip obfuscated)

                 IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration          Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : 
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space,  which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following  configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway.


The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface.   The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel interface. 

Outside IP Addresses:
  - Customer Gateway                : x.x.x.x
  - Virtual Private Gateway                 : y.y.y.y
Inside IP Addresses
  - Customer Gateway                : 169.254.254.62/30
  - Virtual Private Gateway                 : 169.254.254.61/30

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes


#4: Static Routing Configuration:

To route traffic between your internal network and your VPC,  you will need a static route added to your router.

Static Route Configuration Options:

  - Next hop       : 169.254.254.61    You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over  the tunnels.  


                 IPSec Tunnel #2
================================================================================
#1: Internet Key Exchange Configuration          Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : xxxx
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space,  which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following  configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway.



The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface.   The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel interface. 

Outside IP Addresses:
  - Customer Gateway                : x.x.x.x 
  - Virtual Private Gateway                 : z.z.z.z
Inside IP Addresses
  - Customer Gateway                : 169.254.254.58/30
  - Virtual Private Gateway                 : 169.254.254.57/30

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes


#4: Static Routing Configuration:

To route traffic between your internal network and your VPC,  you will need a static route added to your router.

Static Route Configuration Options:

  - Next hop  : 169.254.254.57    You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over  the tunnels.

Best Answer

I got IPSec to AWS configured on PFSense.

I am not going to provide you click by click guide but I can show you how our working config looks like. Repalce variables embedded with %%

PH1

<phase1>
    <ikeid>6</ikeid>
    <interface>lan</interface>
    <remote-gateway>%%AWS_GW_IP%%</remote-gateway>
    <mode>main</mode>
    <protocol>inet</protocol>
    <myid_type>myaddress</myid_type>
    <myid_data/>
    <peerid_type>peeraddress</peerid_type>
    <peerid_data/>
    <encryption-algorithm>
        <name>aes</name>
        <keylen>128</keylen>
    </encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key>%%AWS_PSK%%</pre-shared-key>
    <private-key/>
    <certref/>
    <caref/>
    <authentication_method>pre_shared_key</authentication_method>
    <generate_policy/>
    <proposal_check/>
    <descr><![CDATA[ VPC AWS ]]></descr>
    <nat_traversal>off</nat_traversal>
    <dpd_delay>10</dpd_delay>
    <dpd_maxfail>2</dpd_maxfail>
</phase1>

PH2

<phase2>
    <ikeid>6</ikeid>
    <mode>tunnel</mode>
    <localid>
        <type>network</type>
        <address>%%YOUR_NETWORK%%</address>
        <netbits>%%MASK%%</netbits>
    </localid>
    <remoteid>
        <type>network</type>
        <address>%%VPC_NETWORK%%</address>
        <netbits>%%MASK%%</netbits>
    </remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option>
        <name>aes</name>
        <keylen>128</keylen>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>2</pfsgroup>
    <lifetime>3600</lifetime>
    <pinghost>%%HOST TO CHECK%%</pinghost>
    <descr><![CDATA[VPC AWS]]></descr>
</phase2>

As far as I know configuring two tunnels so they work redundantly is not possible on PF.

Related Topic