pfSense Plus Software Configuration Details¶
On the pfSense Plus software side, the wizard adds several items to configure the VPN to the VPC.
Aliases¶
First, it creates aliases for use in a firewall rule. These aliases are intended to contain the subnets that traffic should be allowed to ingress over the IPsec tunnel. One alias represents the local subnets on the pfSense Plus side and is given a name like VPC_Local_vpc_12345678 and the other represents the remote subnets on the VPC side and is given a name like VPC_Remote_vpc_12345678.
Virtual IP addresses¶
Next, it adds virtual IP addresses on the lo0 (loopback) interface. These
virtual IP addresses are the local “inside addresses” of the IPsec tunnels.
These addresses are used as the local address for BGP communication when BGP
routing is selected. These addresses are IPv4 link local addresses (see RFC
3297). AWS assigns /30 subnets out of the network 169.254.0.0/16 for
this purpose.
Note
These addresses are also useful as a ping target to execute a basic test of whether the tunnel is functioning properly. Executing a ping from a source address of one of these IP addresses to the corresponding inside address of the other end of the tunnel helps determine whether the tunnel negotiation is completing properly.
Firewall rules¶
Next, it adds a firewall rule on the IPsec interface which allows traffic from the VPC networks to the local subnets. This rule uses the previously created Aliases as source/destination targets.
IPsec¶
Then, it sets up IPsec phase 1 and phase 2 associations. Most of the required settings are extracted from a block of XML data returned by the CreateVpnConnection call during the AWS configuration step. This includes parameters such as the endpoint IP addresses, encryption ciphers, timer values, and so on.
If BGP routing was selected, the wizard creates configuration entries for the FRR BGP daemon. The required settings are determined using the AS number entered into the wizard and the parameters returned by the CreateVpnConnection call made during the AWS configuration step.