pfsense ipsec vpn to amazon aws not connectingRV082 Gateway-Gateway VPN Won't ConnectWatchguard L2TP over IPsec passthroughConnecting to IPSec/L2tp with OpenSwan/xl2tpd from Windows7 to Amazon EC2MikroTik IPsec client Fortigate 'Received ESP packet with unknown SPI.'Use Openswan / IPSec on Ubuntu server to connect to existing Openswan VPN - NAT brokenpfSense/strongSwan “deleting half open IKE_SA after timeout” - IPSec connection Android 4.4 to pfSense 2.2.1 failspfSense to Amazon VPC IPsec VPN Tunnel Fails to ConnectConfiguring L2TP/IPSec on Cisco Router 2911IPSEC IKEv2 not hiding HTTPSIDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de

What plausible reason could I give for my FTL drive only working in space

How to represent jealousy in a cute way?

How to show a "node near coord" even when it is out of bounds (with clip = true)?

How to befriend someone who doesn't like to talk?

Entered UK using my now-lost UK passport; can I go to Spain using my US passport?

What's the best way to quit a job mostly because of money?

In The Incredibles 2, why does Screenslaver's name use a pun on something that doesn't exist in the 1950s pastiche?

Why would a home insurer offer a discount based on credit score?

Who is "He that flies" in Lord of the Rings?

Part of my house is inexplicably gone

Insert a smallest possible positive integer into an array of unique integers

In Pandemic, why take the extra step of eradicating a disease after you've cured it?

How can powerful telekinesis avoid violating Newton's 3rd Law?

In American Politics, why is the Justice Department under the President?

How can I find out about the game world without meta-influencing it?

Why is my power MOSFET heating up when on?

How do I make a Magical Dart Thrower more economical in Adventurers League?

Enchiridion, 16: Does a stoic moan, or not?

Find all letter Combinations of a Phone Number

What does "lit." mean in boiling point or melting point specification?

Can I use 220 V outlets on a 15 ampere breaker and wire it up as 110 V?

What does this line mean in Zelazny's "The Courts of Chaos"?

Forgot passport for Alaska cruise (Anchorage to Vancouver)

How to handle when PCs taste a potion that is actually poison?



pfsense ipsec vpn to amazon aws not connecting


RV082 Gateway-Gateway VPN Won't ConnectWatchguard L2TP over IPsec passthroughConnecting to IPSec/L2tp with OpenSwan/xl2tpd from Windows7 to Amazon EC2MikroTik IPsec client Fortigate 'Received ESP packet with unknown SPI.'Use Openswan / IPSec on Ubuntu server to connect to existing Openswan VPN - NAT brokenpfSense/strongSwan “deleting half open IKE_SA after timeout” - IPSec connection Android 4.4 to pfSense 2.2.1 failspfSense to Amazon VPC IPsec VPN Tunnel Fails to ConnectConfiguring L2TP/IPSec on Cisco Router 2911IPSEC IKEv2 not hiding HTTPSIDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.



I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.



I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.



Here is the log output of one of the connections:



Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING


This is the aws generic configuration (obfuscated):



Amazon Web Services
Virtual Private Cloud

VPN Connection Configuration
================================================================================
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the Virtual Private Gateway Identifier.

Your VPN Connection ID : vpn-<hex>
Your Virtual Private Gateway ID : vgw-<hex>
Your Customer Gateway ID : cgw-<hex>

A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.


IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <shizzl>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption


Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.










share|improve this question






























    0















    I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
    For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
    All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.



    I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.



    I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
    I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.



    Here is the log output of one of the connections:



    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
    Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
    Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
    Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
    Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
    Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
    Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
    Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
    Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
    Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
    Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
    Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
    Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
    Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
    Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
    Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
    Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
    Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
    Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
    Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
    Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
    Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
    Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
    Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
    Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
    Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
    Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
    Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
    Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
    Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
    Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
    Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
    Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
    Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
    Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
    Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
    Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
    Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
    Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
    Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING


    This is the aws generic configuration (obfuscated):



    Amazon Web Services
    Virtual Private Cloud

    VPN Connection Configuration
    ================================================================================
    AWS utilizes unique identifiers to manipulate the configuration of
    a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
    and is associated with two other identifiers, namely the
    Customer Gateway Identifier and the Virtual Private Gateway Identifier.

    Your VPN Connection ID : vpn-<hex>
    Your Virtual Private Gateway ID : vgw-<hex>
    Your Customer Gateway ID : cgw-<hex>

    A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
    It is important that both tunnel security associations be configured.


    IPSec Tunnel #1
    ================================================================================
    #1: Internet Key Exchange Configuration

    Configure the IKE SA as follows
    - Authentication Method : Pre-Shared Key
    - Pre-Shared Key : <shizzl>
    - Authentication Algorithm : sha1
    - Encryption Algorithm : aes-128-cbc
    - Lifetime : 28800 seconds
    - Phase 1 Negotiation Mode : main
    - Perfect Forward Secrecy : Diffie-Hellman Group 2

    #2: IPSec Configuration

    Configure the IPSec SA as follows:
    - Protocol : esp
    - Authentication Algorithm : hmac-sha1-96
    - Encryption Algorithm : aes-128-cbc
    - Lifetime : 3600 seconds
    - Mode : tunnel
    - Perfect Forward Secrecy : Diffie-Hellman Group 2

    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
    recommend configuring DPD on your endpoint as follows:
    - DPD Interval : 10
    - DPD Retries : 3

    IPSec ESP (Encapsulating Security Payload) inserts additional
    headers to transmit packets. These headers require additional space,
    which reduces the amount of space available to transmit application data.
    To limit the impact of this behavior, we recommend the following
    configuration on your Customer Gateway:
    - TCP MSS Adjustment : 1387 bytes
    - Clear Don't Fragment Bit : enabled
    - Fragmentation : Before encryption


    Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.










    share|improve this question


























      0












      0








      0


      0






      I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
      For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
      All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.



      I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.



      I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
      I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.



      Here is the log output of one of the connections:



      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
      Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
      Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
      Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
      Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
      Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
      Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
      Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
      Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
      Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
      Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
      Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
      Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
      Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
      Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
      Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
      Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING


      This is the aws generic configuration (obfuscated):



      Amazon Web Services
      Virtual Private Cloud

      VPN Connection Configuration
      ================================================================================
      AWS utilizes unique identifiers to manipulate the configuration of
      a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
      and is associated with two other identifiers, namely the
      Customer Gateway Identifier and the Virtual Private Gateway Identifier.

      Your VPN Connection ID : vpn-<hex>
      Your Virtual Private Gateway ID : vgw-<hex>
      Your Customer Gateway ID : cgw-<hex>

      A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
      It is important that both tunnel security associations be configured.


      IPSec Tunnel #1
      ================================================================================
      #1: Internet Key Exchange Configuration

      Configure the IKE SA as follows
      - Authentication Method : Pre-Shared Key
      - Pre-Shared Key : <shizzl>
      - Authentication Algorithm : sha1
      - Encryption Algorithm : aes-128-cbc
      - Lifetime : 28800 seconds
      - Phase 1 Negotiation Mode : main
      - Perfect Forward Secrecy : Diffie-Hellman Group 2

      #2: IPSec Configuration

      Configure the IPSec SA as follows:
      - Protocol : esp
      - Authentication Algorithm : hmac-sha1-96
      - Encryption Algorithm : aes-128-cbc
      - Lifetime : 3600 seconds
      - Mode : tunnel
      - Perfect Forward Secrecy : Diffie-Hellman Group 2

      IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
      recommend configuring DPD on your endpoint as follows:
      - DPD Interval : 10
      - DPD Retries : 3

      IPSec ESP (Encapsulating Security Payload) inserts additional
      headers to transmit packets. These headers require additional space,
      which reduces the amount of space available to transmit application data.
      To limit the impact of this behavior, we recommend the following
      configuration on your Customer Gateway:
      - TCP MSS Adjustment : 1387 bytes
      - Clear Don't Fragment Bit : enabled
      - Fragmentation : Before encryption


      Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.










      share|improve this question
















      I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
      For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
      All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.



      I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.



      I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
      I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.



      Here is the log output of one of the connections:



      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
      Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
      Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
      Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
      Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
      Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
      Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
      Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
      Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
      Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
      Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
      Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
      Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
      Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
      Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
      Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
      Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
      Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
      Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
      Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
      Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
      Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
      Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
      Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING


      This is the aws generic configuration (obfuscated):



      Amazon Web Services
      Virtual Private Cloud

      VPN Connection Configuration
      ================================================================================
      AWS utilizes unique identifiers to manipulate the configuration of
      a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
      and is associated with two other identifiers, namely the
      Customer Gateway Identifier and the Virtual Private Gateway Identifier.

      Your VPN Connection ID : vpn-<hex>
      Your Virtual Private Gateway ID : vgw-<hex>
      Your Customer Gateway ID : cgw-<hex>

      A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
      It is important that both tunnel security associations be configured.


      IPSec Tunnel #1
      ================================================================================
      #1: Internet Key Exchange Configuration

      Configure the IKE SA as follows
      - Authentication Method : Pre-Shared Key
      - Pre-Shared Key : <shizzl>
      - Authentication Algorithm : sha1
      - Encryption Algorithm : aes-128-cbc
      - Lifetime : 28800 seconds
      - Phase 1 Negotiation Mode : main
      - Perfect Forward Secrecy : Diffie-Hellman Group 2

      #2: IPSec Configuration

      Configure the IPSec SA as follows:
      - Protocol : esp
      - Authentication Algorithm : hmac-sha1-96
      - Encryption Algorithm : aes-128-cbc
      - Lifetime : 3600 seconds
      - Mode : tunnel
      - Perfect Forward Secrecy : Diffie-Hellman Group 2

      IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
      recommend configuring DPD on your endpoint as follows:
      - DPD Interval : 10
      - DPD Retries : 3

      IPSec ESP (Encapsulating Security Payload) inserts additional
      headers to transmit packets. These headers require additional space,
      which reduces the amount of space available to transmit application data.
      To limit the impact of this behavior, we recommend the following
      configuration on your Customer Gateway:
      - TCP MSS Adjustment : 1387 bytes
      - Clear Don't Fragment Bit : enabled
      - Fragmentation : Before encryption


      Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.







      vpn amazon-web-services ipsec pfsense amazon-vpc






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Apr 8 '16 at 7:56







      Max

















      asked Apr 8 '16 at 7:51









      MaxMax

      115




      115




















          1 Answer
          1






          active

          oldest

          votes


















          0














          It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
          We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.






          share|improve this answer























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f768967%2fpfsense-ipsec-vpn-to-amazon-aws-not-connecting%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
            We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.






            share|improve this answer



























              0














              It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
              We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.






              share|improve this answer

























                0












                0








                0







                It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
                We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.






                share|improve this answer













                It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
                We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Apr 11 '16 at 12:01









                MaxMax

                115




                115



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f768967%2fpfsense-ipsec-vpn-to-amazon-aws-not-connecting%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

                    What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

                    Why did Thanos need his ship to help him in the battle scene?Which actor plays Thanos in the Avengers mid-credits scene?Are there economic implications portrayed in comics where the buildings and cities are ruined almost daily?Old X-Men comic where team travels to alien world with a ring-like sun that needs recharging?Why does Ego need help sleeping?Is there an objective answer to who “the strongest Avenger” is?How did Banner get unstuck?Why did Thanos get hit?How did Thanos (or anyone) know the Infinity Stones would give him this power?Did Thanos leave Eitri alive for his after-sales service?In Avengers 1, why does Thanos need Loki?