Testing Connectivity

You can verify that the IPsec tunnels are functioning by attempting to ping the “inside tunnel addresses” of the VPC side of the tunnel. You can do this by navigating to Firewall -> Virtual IP. You should see two virtual IP addresses configured that have Descriptions like “Inside address for tunnel to <remote IP address>”.


Amazon provides inside addresses for each end of the tunnel in a /30 subnet in IPv4 link local address space (169.254.x.y). Typically, the first usable address in the /30 is the inside address for the VPC end of the tunnel and the other usable address is the inside address for your end of the tunnel. So if you ping from one of the virtual IP addresses configured on your pfSense® instance to the IP address that is one less (for example, if your virtual IP address were, you would ping from to, you can check whether the other end of the tunnel is responding and whether the tunnel is functioning properly. You can do this logging into your pfSense instance via ssh and executing ping from a shell prompt. For the previous example of, the proper syntax for the command to execute is ‘ping -S’.


Note that it sometimes takes a few minutes for the tunnels to begin working after the configuration wizard completes. You could also ping via the Diagnostics -> Ping page by selecting the appropriate source address and entering the remote tunnel inside address in the “Host” field. This will only send a limited number of ping packets, so you may need to repeat this a few times. If you elect to ping from a shell prompt, you can leave the command running indefinitely and interrupt it when you start seeing a response.