pfSense Configuration Details

On the pfSense® side, there are numerous configurations added to support the VPN to the VPC. First, aliases are created for use in a firewall rule. These aliases are intended to contain the subnets that traffic should be allowed to ingress over the IPsec tunnel. One alias represents the local subnets on the pfSense side and is given a name like ‘VPC_Local_vpc_12345678’ and the other represents the remote subnets on the VPC side and is given a name like ‘VPC_Remote_vpc_12345678’.

Next, virtual IP addresses are added on the lo0 (loopback) interface. These virtual IP addresses are the local “inside addresses” of the IPsec tunnels. These addresses are used as the local address for BGP communication when BGP routing is selected. They are also useful as a ping target to execute a basic test of whether the tunnel is functioning properly. Executing a ping from a source address of one of these IP addresses to the corresponding inside address of the other end of the tunnel helps determine whether the tunnel negotiation is completing properly. These addresses are IPv4 link local addresses (see RFC 3297). AWS assigns /30’s out of the network 169.254.0.0/16 for this purpose.

Next, a firewall rule is added on the IPsec interface that allows traffic from the VPC networks to the local subnets. This rule uses the previously created Aliases as source/destination targets.

Then IPsec phase 1 and phase 2 associations are set up. Most of the settings required are extracted from a block of XML data that was returned by the CreateVpnConnection call made during the AWS configuration step. This includes parameters like endpoint IP addresses, encryption ciphers, timer values, etc.

If BGP routing was selected, the configurations for the OpenBGPD BGP daemon are established. The required settings are determined using the AS number entered into the wizard and the parameters returned by the CreateVpnConnection call made during the AWS configuration step.