AWS VPN site-to-site tunnel behind NAT using pfSense IKEv1 IPsec VPN protocol

Pre-configuration steps

Desired configuration achieved by this tutorial is presented on below diagram.

Diagram 1 Environment for testing AWS VPN using pfSense
Diagram 1 Environment for testing AWS VPN using pfSense

Workstation environment

For the purpose of presentation AWS VPN capabilities, virtual environment had been created on VMware Workstation 14.

Networking – initial configuration

Our Network configuration is presented in the table:

Name IP address Interface Purpose
Gateway 10.2.0.100/16 pfSense Gateway, ref. pfSense WAN
dc.regmen.com 10.2.0.40/16 local Windows 2008 Domain Controller, DNS server
linux1 10.2.0.50/16 lin_vif Management server
  10.2.0.51/16 eno16777736
pfSense WAN 192.168.1.112/24 WAN
pfSense LAN 10.20.0.100/16 LAN

Table 1 Networking – on-premise.

VM Network

To configure properly VM network, choose Edit from VMware Workstation and then make sure that configuration is similar.

  1. Bridged interface to network card on Workstation (your desktop behind router NAT).
Screen 1 VMware Workstation network configuration.
Screen 1 VMware Workstation network configuration.
  1. Make about interface for NAT purpose and its gateway with assigned LAN IP address of pfSense.
Screen 2 VMware Workstation network configuration - NAT configuration.
Screen 2 VMware Workstation network configuration – NAT configuration.

Router configuration

  1. To enable pfSense capabilities of passing through the VPN traffic make sure that WAN interface static IP is place in DMZ configuration of WAN router.
Screen 3 DMZ on WAN router for pfSense WAN IP address.
Screen 3 DMZ on WAN router for pfSense WAN IP address.
  1. Make sure that IPsec traffic is not blocked by router firewall.
Screen 4 IPSec Passthrough configuration on WAN router.
Screen 4 IPSec Passthrough configuration on WAN router.

pfSense installation & configuration

First step is to download pfSense in the newest community version from https://www.pfsense.org/download . For the purpose of this tutorial below version had been downloaded – please note that CD bootable version will be used.

Screen 5 Downloading image for pfSense.
Screen 5 Downloading image for pfSense.

pfSense preparation on VMware Workstation 14

Downloaded CD image allows us to create VM machine within our VMWare environment. Please see steps below in terms of full installation.

All below steps should be performed on VMware Workstation.

  1. Choose File and New Virtual Machine. Wizard window appears.
  2. Choose Custom (Advanced)
  3. Leave defaults in Hardware Compatibility (Workstation 14x)
  4. In next window choose Installer disc image file (iso) and provide path to the ISO of downloaded earlier pfSense.
  5. In Guest Operating System choose “Other” and select FreeBSD 11 64-bit.
  6. Next window is about to choose the name and path for pfSense VM. In this tutorial pfSense is named as pfSense-vm.
  7. In Processor Configuration window choose number of processors (leave defaults – 1 core).
  8. In Memory Configuration choose amount of memory (leave defaults – 256 MB).
  9. In Network Configuration choose “Use bridged networking”.
  10. In SCSI controller choose LSI Logic.
  11. In Disk type window choose SCSI.
  12. In Select Disk window select option “Create a new virtual disk”.
  13. In Disk Capacity window, choose 5GB maximum disk size and select option “Store virtual disk as a single file”.
  14. In next window choose default name for vmdk file.
  15. Review summary and click Finish

Voila. PfSense VM is almost ready. Let’s do the additional configuration.

  1. Right click on the created VM and select “Settings…”.
  2. From there remove USB controller and Sound card as there are not necessary run pfSense.

Moreover we need additional Network Interface, as created Bridged interface is for the WAN purpose of pfSense.

  1. In Hardware Tab select “Add…” button and from there choose Network Adapter.
  2. Make sure that this newly added network adapter has NAT option selected for Network Connection.

pfSense installation

After configuration of VM for pfSense purpose start the VM. After boot, installation message appears.

Screen 6 Installation of pfSense.
Screen 6 Installation of pfSense.

Use defaults until installer finish the job and reboot the system. After reboot setup WAN and LAN interfaces accordingly to presented table in networking section.

Screen 7 Network interfaces configuration on pfSense.
Screen 7 Network interfaces configuration on pfSense.

After setup and boot, pfSense menu appears with performed IP address configuration.

Screen 8 Menu of pfSense after boot with visible configured network interfaces.
Screen 8 Menu of pfSense after boot with visible configured network interfaces.

pfSense firewall configuration

Now it is a good time to configure pfSense firewall and change administration ports.

Open browser from workstation using LAN address, in this case 10.2.0.100, using default credentials are admin/pfsense.

After login, there is a need to go through initial configuration steps with possibility to change default password. All those steps lead to pfSense dashboard.

Screen 9 Dashboard of pfSense.
Screen 9 Dashboard of pfSense.

Now go to System-Advanced-Admin Access and configure TCP port for HTTP and SSH access. In this example configuration is following.

HTTP TCP port: 6457

SSH TCP port: 6458

The web-gui of pfSense now can be reached using 10.2.0.100:6457 address.

First firewall rule that should be created is for WAN interface, which enable traffic from WAN subnet to LAN – 192.168.1.0/24 (WAN) and 10.2.0.0/16 (LAN). Go to Firewall – Rules – Add and provide information as on the screen below.

Screen 10 Configuration of pfSense firewall rules.
Screen 10 Configuration of pfSense firewall rules.

Click Save and always remember to Apply Changes by clicking green button.

Screen 11 Always Apply Changes.
Screen 11 Always Apply Changes.

Make sure that firewall rules for LAN interface looks like on the picture below.

Screen 12 Firewall rules for LAN interface in pfSense.
Screen 12 Firewall rules for LAN interface in pfSense.

Last step in terms of pfSense firewall is to prepare rule for IPsec traffic. Go to Firewall – Rules, select IPsec and click Add button. Make a configuration like on the picture below, then save and apply changes.

Screen 13 IPsec firewall rule in pfSense.
Screen 13 IPsec firewall rule in pfSense.

Amazon Web Services (AWS) – Network configuration

Baseline configuration for VPN at on-premise side is prepared and now configuration on AWS can be processed.

Overview of required steps on AWS

  1. AWS VPC is required.
  2. Two subnets, for public and private purpose.
  3. Configured two route tables, for public and private traffic.
  4. Internet Gateway for public access.
  5. Security groups for Public and Private Access.
  6. Existing Key pair.
  7. VM with Elastic IP, for the purpose of this example it is Windows Server 2012 R2.
  8. VM located in private subnet, in this example RHEL.

Overview of required steps on AWS in terms of pure VPN configuration

  1. Configured Customer Gateway with Public IP of on-premise location.
  2. Created Virtual Private Gateway attached to the VPC.
  3. Created VPN connection.

AWS Cloud Networking

Before we move with configuration, let’s define our network addressing within AWS VPC.

  Name IPv4 CIDR Purpose
AWS VPC 10.221.0.0/16 AWS VPC IP space
LDZ_public 10.221.16.0/20 Public Subnet
LDZ_private 10.221.0.0/20 Private Subnet
LDZ_Public_RT See configuration steps Route table for Public Subnet
LDZ_Private_RT See configuration steps Route table for Private Subnet
LDZ_IGW See configuration steps Internet Gateway
Public_Instances_SG See configuration steps Security group for public instances
Private_Instances_SG See configuration steps Security group for private instances

Table 2 AWS Cloud Networking with IP addressing configuration.

VPC configuration

First step is to create VPC to enable networking capabilities on our AWS Cloud.

Ok, but what is a VPC?

  • VPC is a virtual network dedicated to your AWS account.
  • Each VPC is logically separated from other virtual networks in AWS.
  • It is defined by a range of IP addresses.
  • AWS instances are launched within VPC.
  • It contains other network resources like subnets, route tables, gateways and security configuration.
Diagram 2 AWS VPC example.
Diagram 2 AWS VPC example.

Performing configuration of VPC requires some data to provide:

Name tag: LDZ_VPC

IPv4 CIDR block*: 10.221.0.0/16

Screen 14 VPC creation.
Screen 14 VPC creation.

Subnet configuration

Subnet is a range of IP addresses in particular VPC.

  • AWS resources are launched in the subnet of the choice.
  • Public and private subnets in use.
    • Public are for resources that need Internet connection via the Internet gateways.
    • Private are for resources that do not need or should not be accessed directly from the Internet.
    • Each subnet must be associated with a route table.

To create required subnets go to VPC – Subnets and press button described as Create Subnet. Then use below data to create both subnets.

Public Subnet:

Name tag: LDZ_Public

VPC: LDZ_VPC

IPv4 CIDR block*: 10.221.16.0/20

Private Subnet:

Name tag: LDZ_Private

VPC: LDZ_VPC

IPv4 CIDR block*: 10.221.0.0/20

Internet Gateway configuration

Few words about Internet Gateways:

  • The default VPC includes an Internet gateway. Each default subnet is a public subnet.
  • Each launched instance in default subnet has a private IPv4 address and a public IPv4 address.
  • Instances communicate with the Internet through the Internet gateway.
  • Each region has multiple, isolated Availability Zones.

To configure Internet Gateway on AWS go to VPC – Internet Gateway and click on Create internet gateway button. Perform configuration by using name.

Name tag: LDZ_IGW

After creation select that gateway and from Actions menu, select Attach to VPC and choose earlier created VPC, which in this example is called as LDZ_VPC.

Amazon Web Services (AWS) – Instances configuration

Moving on to instances and security groups, we need some Operating Systems, to test our VPN between AWS Cloud and On-premise environment.

For the purpose of this tutorial, two instances has been created.

  Name Security groups IP address OS
LDZ_WIN2K12_PUB Public_Instances_SG – Elastic IP for public IP

– Private IP: 10.221.21.60

Windows Server 2012 R2
LDZ_RHEL_PRIV Private_Instances_SG Private IP: 10.221.4.82 RHEL 7.5

Table 3 AWS Cloud instances configuration.

Key pair configuration

Key pair configuration can be done during creation of first instance. At the end there is a window with possibility to assign or create new key pair.

Key pair is simply used as credentials, making authorization or generating password.

To create a key pair, go to EC2 Dashboard – Key pairs. After creation .PEM file is downloaded with RSA Private Key.

To use such a key for example with Putty, you have to use PuTTY Key Generator. Then perform following steps.

  1. Conversion – Import Key and provide path to downloaded .PEM key.
Screen 15 PuTTY key generator.
Screen 15 PuTTY key generator.
  1. Click Save private key button and save it as .PPK key.
  2. In Putty while configuring new session, provide path to saved Putty Private Key in Connection – SSH – Auth

Security Groups configuration

Both required security groups can be created during Launch instance process.

  Name Inbound rules Outbound rules
Public_Instances_SG Type: RDP

Protocol: TCP

Port Range: 3389

Source: 0.0.0.0/0

Type: All traffic

Protocol: All

Port Range: All

Destination: 0.0.0.0/0

Private_Instances_SG Type: SSH

Protocol: TCP

Port Range: 22

Source: 0.0.0.0/0

 

Type: All ICMP – IPv4

Protocol: All

Port Range: N/A

Source: 192.168.1.0/24

 

Type: All ICMP – IPv4

Protocol: All

Port Range: N/A

Source: 10.2.0.0/16

Type: All traffic

Protocol: All

Port Range: All

Destination: 0.0.0.0/0

Table 4 AWS VPC Cloud Security Groups configuration.

Amazon Web Services (AWS) – VPN configuration

So far majority of work in terms of preparation for VPN connection has been done. Next steps required in terms of configuration can be presented as:

  1. Configure Customer Gateway with Public IP from on-premise location.
  2. Create Virtual Private Gateway attached to VPC.
  3. Create VPN connection.
Diagram 3 AWS VPN connection.
Diagram 3 AWS VPN connection.

Customer Gateway

The Customer Gateway is simply Internet-routable IP address, which is your Public IP address. Routing can be static or dynamic by using BGP (Border Gateway Protocol).

For the purpose of this tutorial we are using static routing. Example of provided configuration:

Name: LDZ_CGW

Routing: Static

IP address: <<Your Public On-premise IP>>

Virtual Private Gateway

Another component of AWS VPN is Virtual Private Gateway. In another words, following AWS documentation it is VPN concentrator on the Amazon side to satisfy VPN connectivity. While creation you can specify ASN (Autonomous System Number) for Amazon side of gateway.

  • By default, instances launched in AWS VPC cannot communicate with outside networks.
  • To enable access from external networks you have to attach VGW to VPC, make suitable changes in route tables and security groups.

To configure Virtual Private Gateway (VPG) go to VPC dashboard and choose Virtual Private Gateways. Then click on the Create Virtual Private Gateway button and provide proper data, for example:

Name tag: LDZ_VPG

ASN: Amazon default ASN

Route Tables configuration

To make a proper traffic flow around your VPC and configured in next steps VPN, you have to define route tables.

In our case there are two route tables, for public and private subnets.

 Route table name Subnet Association Route propagation
LDZ_Public_RT LDZ_public LDZ_VPG ; Propagate: Yes
LDZ_Private_RT LDZ_private LDZ_VPG ; Propagate: Yes

Table 5 AWS VPC Cloud Route Tables configuration.

When route propagation is enabled for earlier created Virtual Private Gateway, then the proper static routes are automatically propagated.

Additionally to make an Internet connection through a Public subnet, route to Internet Gateway has to be added.

Screen 16 Router for Public Subnet to Internet Gateway.
Screen 16 Router for Public Subnet to Internet Gateway.

VPN connections

Here we come to the last step in terms of configuration VPN on Amazon side. To create VPN connection, go to VPC Dashboard and select VPN connection. After that click button described as Create VPN Connection and configure in below way:

Name tag: LDZ_VPN

Virtual Private Gateway: LDZ_VPG

Customer Gateway: Existing

Customer Gateway ID: LDZ_CGW

Routing Options: Static

Static IP Prefixes: 192.168.1.0/24 ; 10.2.0.0/16
Tunnel Options: <<leave defaults>>

Screen 17 AWS VPN connection configuration.
Screen 17 AWS VPN connection configuration.

Wait until state change from pending to active. Then download configuration by clicking button and choose pfSense vendor.

Screen 18 AWS VPN pfSense configuration file.
Screen 18 AWS VPN pfSense configuration file.

On-premise – pfSense VPN configuration

Downloaded configuration file gives required data in terms of VPN configuration at on-premise side.

For the purpose of this tutorial, one tunnel will be configured.

  1. Go to pfSense (ex. http://192.168.1.112:6457/)
  2. Go to VPN – IPsec.
  3. From Tunnels tab, click Add P1.
  4. Provide general information from file, example:
    1. Disabled : uncheck
    2. Key Exchange version :V1
    3. Internet Protocol : IPv4
    4. Interface : WAN
    5. Remote Gateway: XX.XXX.XX.XXX
    6. Description: Amazon-IKE-vpn-0898d6x11ggeb71s3f-0
  5. Provide Phase 1 proposal (Authentication) per file output, example:
    1. Authentication Method: Mutual PSK
    2. Negotiation mode : Main
    3. My identifier : My IP address
    4. Peer identifier : Peer IP address
    5. Pre-Shared Key: XXXXXXXXXXXXXXXXXXXXXXXX
  6. Provide Phase 1 proposal (Algorithms) per file output, example:
    1. Encryption algorithm : aes128
    2. Hash algorithm : sha1
    3. DH key group : 2
    4. Lifetime : 28800 seconds
  7. Provide Advanced Options per file output, example:
    1. Disable Rekey : uncheck
    2. Responder Only : uncheck
    3. NAT Traversal : Auto
    4. Deed Peer Detection : Enable DPD
    5. Delay between requesting peer acknowledgement : 10 seconds
    6. Number of consecutive failures allowed before disconnect : 3 retries
  8. Click Save and Apply Changes.

Now time to configure Phase 2.

  1. Expand the VPN configuration clicking in “+” and then create a new Phase2 entry as follows:
    1. Disabled :uncheck
    2. Mode : Tunnel
    3. Local Network : Type: Network

Address :  10.2.0.0/16

  1. Remote Network : Type : Network

Address :  10.221.0.0/16

  1. Description : Amazon-IKE-vpn-0898d6x11ggeb71s3f-0
  1. Phase 2 proposal (SA/Key Exchange)
    1. Protocol : ESP
    2. Encryption algorithms :aes128
    3. Hash algorithms : sha1
    4. PFS key group : 2
    5. Lifetime : 3600 seconds
  2. Advanced Options
    1. Automatically ping host : 10.221.4.82 <<IP address of RHEL>>

We need to include another subnet, so another Phase 2 is to configure.

  1. Expand the VPN configuration clicking in “+” and then create a new Phase2 entry as follows:
    1. Disabled :uncheck
    2. Mode : Tunnel
    3. Local Network : Type: Network

Address :  192.168.1.0/24

  1. Remote Network : Type : Network

Address :  10.221.0.0/16

  1. Description : Amazon-IKE-vpn-0898d6x11ggeb71s3f-0
  1. Phase 2 proposal (SA/Key Exchange)
    1. Protocol : ESP
    2. Encryption algorithms :aes128
    3. Hash algorithms : sha1
    4. PFS key group : 2
    5. Lifetime : 3600 seconds
  2. Advanced Options
    1. Automatically ping host : 10.221.4.82 <<IP address of RHEL>>

On-premise – pfSense VPN configuration – confirmation test

To check status in pfSense of your VPN tunnel go to Status – IPsec.

Screen 19 Established IPsec connection with visible status in pfSense.
Screen 19 Established IPsec connection with visible status in pfSense.

To confirm that tunnel is really established, go to AWS VPC Dashboard and check the status of your tunnel in VPN Connection.

Screen 20 AWS VPN Connection. Tunnel#1 is up and running.
Screen 20 AWS VPN Connection. Tunnel#1 is up and running.

Now let’s test whether it is possible to do SSH to our RHEL from Windows Server 2008 R2 located in VMware Workstation environment in On-premise site.

Screen 21 Connectivity test from VM on-premise to VM in AWS VPC Cloud.
Screen 21 Connectivity test from VM on-premise to VM in AWS VPC Cloud.

It is time to ping AWS Cloud RHEL instance from our Workstation, located in 192.168.1.0/24 subnet.

Screen 22 Connectivity test from on-premise Workstation standalone machine to RHEL Cloud instance.
Screen 22 Connectivity test from on-premise Workstation standalone machine to RHEL Cloud instance.

As per above test, connection failed, SSH as well ping cannot reach AWS Cloud RHEL instance. This is because pfSense located in VMware Workstation environment behind another NAT is our VPN gateway, with address 192.168.1.112. Per standard, workstation has gateway that is coming from router, which is 192.168.1.1. To solve it, new static route should be setup.

For the purpose of this exercise, the workstation PC works under Windows 10. To configure static route, run CMD or PowerShell as Administrator.

  1. Determine interface number using route print
Screen 23 Route print showing interface number.
Screen 23 Route print showing interface number.
  1. Add static route using Interface number from previous step.

PS C:\WINDOWS\system32> route ADD 10.221.0.0 MASK 255.255.0.0 192.168.1.112 IF 11

 OK!

Test again.

Screen 24 Connectivity test from on-premise workstation to AWS Cloud RHEL instance.
Screen 24 Connectivity test from on-premise workstation to AWS Cloud RHEL instance.

At the end do the test connection from private subnet in AWS VPC to on-premise local subnets.

Screen 25 Connectivity test from AWS Cloud RHEL instance to on-premise machines.
Screen 25 Connectivity test from AWS Cloud RHEL instance to on-premise machines.

Voila – VPN connection works like a charm, both ways and can be used as Proof of Concept to the Customer.

Leave a Reply

Your email address will not be published. Required fields are marked *