pfsense ipsec vpn to amazon aws not connectingRV082 Gateway-Gateway VPN Won't ConnectWatchguard L2TP over IPsec passthroughConnecting to IPSec/L2tp with OpenSwan/xl2tpd from Windows7 to Amazon EC2MikroTik IPsec client Fortigate 'Received ESP packet with unknown SPI.'Use Openswan / IPSec on Ubuntu server to connect to existing Openswan VPN - NAT brokenpfSense/strongSwan “deleting half open IKE_SA after timeout” - IPSec connection Android 4.4 to pfSense 2.2.1 failspfSense to Amazon VPC IPsec VPN Tunnel Fails to ConnectConfiguring L2TP/IPSec on Cisco Router 2911IPSEC IKEv2 not hiding HTTPSIDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de
What plausible reason could I give for my FTL drive only working in space
How to represent jealousy in a cute way?
How to show a "node near coord" even when it is out of bounds (with clip = true)?
How to befriend someone who doesn't like to talk?
Entered UK using my now-lost UK passport; can I go to Spain using my US passport?
What's the best way to quit a job mostly because of money?
In The Incredibles 2, why does Screenslaver's name use a pun on something that doesn't exist in the 1950s pastiche?
Why would a home insurer offer a discount based on credit score?
Who is "He that flies" in Lord of the Rings?
Part of my house is inexplicably gone
Insert a smallest possible positive integer into an array of unique integers
In Pandemic, why take the extra step of eradicating a disease after you've cured it?
How can powerful telekinesis avoid violating Newton's 3rd Law?
In American Politics, why is the Justice Department under the President?
How can I find out about the game world without meta-influencing it?
Why is my power MOSFET heating up when on?
How do I make a Magical Dart Thrower more economical in Adventurers League?
Enchiridion, 16: Does a stoic moan, or not?
Find all letter Combinations of a Phone Number
What does "lit." mean in boiling point or melting point specification?
Can I use 220 V outlets on a 15 ampere breaker and wire it up as 110 V?
What does this line mean in Zelazny's "The Courts of Chaos"?
Forgot passport for Alaska cruise (Anchorage to Vancouver)
How to handle when PCs taste a potion that is actually poison?
pfsense ipsec vpn to amazon aws not connecting
RV082 Gateway-Gateway VPN Won't ConnectWatchguard L2TP over IPsec passthroughConnecting to IPSec/L2tp with OpenSwan/xl2tpd from Windows7 to Amazon EC2MikroTik IPsec client Fortigate 'Received ESP packet with unknown SPI.'Use Openswan / IPSec on Ubuntu server to connect to existing Openswan VPN - NAT brokenpfSense/strongSwan “deleting half open IKE_SA after timeout” - IPSec connection Android 4.4 to pfSense 2.2.1 failspfSense to Amazon VPC IPsec VPN Tunnel Fails to ConnectConfiguring L2TP/IPSec on Cisco Router 2911IPSEC IKEv2 not hiding HTTPSIDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.
I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.
I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.
Here is the log output of one of the connections:
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING
This is the aws generic configuration (obfuscated):
Amazon Web Services
Virtual Private Cloud
VPN Connection Configuration
================================================================================
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the Virtual Private Gateway Identifier.
Your VPN Connection ID : vpn-<hex>
Your Virtual Private Gateway ID : vgw-<hex>
Your Customer Gateway ID : cgw-<hex>
A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <shizzl>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.
vpn amazon-web-services ipsec pfsense amazon-vpc
add a comment |
I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.
I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.
I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.
Here is the log output of one of the connections:
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING
This is the aws generic configuration (obfuscated):
Amazon Web Services
Virtual Private Cloud
VPN Connection Configuration
================================================================================
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the Virtual Private Gateway Identifier.
Your VPN Connection ID : vpn-<hex>
Your Virtual Private Gateway ID : vgw-<hex>
Your Customer Gateway ID : cgw-<hex>
A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <shizzl>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.
vpn amazon-web-services ipsec pfsense amazon-vpc
add a comment |
I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.
I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.
I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.
Here is the log output of one of the connections:
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING
This is the aws generic configuration (obfuscated):
Amazon Web Services
Virtual Private Cloud
VPN Connection Configuration
================================================================================
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the Virtual Private Gateway Identifier.
Your VPN Connection ID : vpn-<hex>
Your Virtual Private Gateway ID : vgw-<hex>
Your Customer Gateway ID : cgw-<hex>
A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <shizzl>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.
vpn amazon-web-services ipsec pfsense amazon-vpc
I'm trying to set up an ipsec vpn from our DC networks to our amazon vpc, so a site2site aka network to network connection. For this I've set up pfsense 2.2.6 and gave it a public IP on a WAN interface and three internal 'lan' connections from which we can manage pfsense and which can be used as a gateway in each of our vlans towards aws.
For the initial setup I'm using 172.24.00.0/16 at aws as the internal range (the VPC range) and 172.20.20.0/24 at our DC as the internal range.
All the interfaces are up and can be reached (if I set the firewall to allow pings and/or other traffic). I then added routes to some servers in each vlan that send traffic for the aws subnet to the pfsense ip in that vlan.
I've set up the ipsec connection according to http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ and watched it connect. I did not see any 'allow' rules appear in the firewall after creating the ipsec setup and activating it, so I added some allow rules myself (allow everything for now, from the ipsec and lan networks, just to make sure the firewall isn't blocking anything). Unfortunately 40 seconds later the connection is gone and a new one is created. That repeats for ever.
I've played with the phase 1 and phase 2 settings, but nothing that I changed made it better.
I had a look at https://doc.pfsense.org/index.php/IPsec_Troubleshooting to try and figure out what the problem is, but I don't see the symptoms listed there.
Here is the log output of one of the connections:
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid 4
Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING
This is the aws generic configuration (obfuscated):
Amazon Web Services
Virtual Private Cloud
VPN Connection Configuration
================================================================================
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the Virtual Private Gateway Identifier.
Your VPN Connection ID : vpn-<hex>
Your Virtual Private Gateway ID : vgw-<hex>
Your Customer Gateway ID : cgw-<hex>
A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <shizzl>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
Hopefully it's something obvious that I'm overlooking. I'd very much appreciate any help or insights into fixing this.
vpn amazon-web-services ipsec pfsense amazon-vpc
vpn amazon-web-services ipsec pfsense amazon-vpc
edited Apr 8 '16 at 7:56
Max
asked Apr 8 '16 at 7:51
MaxMax
115
115
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f768967%2fpfsense-ipsec-vpn-to-amazon-aws-not-connecting%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.
add a comment |
It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.
add a comment |
It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.
It turns out aws does't allow a tunnel to set up when the subnet we want to route to doesn't match defined subnets on the aws vpc. Because we only have a /24 subnet defined at aws, we couldn't send a /16 over there. only once we decreased the routing mask to /24 would the ipsec vpn connect properly.
We were expecting amazon to allow this and just drop all traffic that it doesn't have a subnet for. It doesn't work that way.
answered Apr 11 '16 at 12:01
MaxMax
115
115
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f768967%2fpfsense-ipsec-vpn-to-amazon-aws-not-connecting%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown