Disclaimer: this article was published originally on Medium, in December 2021 and may not be 100% up to date.

While setting up a IPSec tunnel between an AWS VPC and a pfSense gateway is simple at first look, there’s a little trick to make it work with both tunnels provided by AWS active at same time, working with VTI tunnels.

Here’s a simple guide, if you ever need to connect your local network to a AWS VPC.

Part 1: Amazon side

First, let’s set things up on Amazon side. Go to VPC menu, then to Customer Gateways and Create Customer Gateway

On the new Customer Gateway screen, set a name for your gateway, choose Static Routing and insert your static public IP address (the one that will be used as gateway on your IPSec tunnel). Then, create the Customer Gateway.

You can check the State to make sure it’s available.

Now, got to Virtual Private Gateways menu and create a new Virtual Private Gateway.

Name tag field is optional, and for ASN, pick Amazon Default ASN.

The Virtual Private Gateway will be created on a detached state.

Then, select the Virtual Private Gateway you just created, go to the Actions menu and select Attach to VPC.

On the next screen, select the VPC you want to connect with your local network and click on Yes, Attach.

After a while, it will change the state from attaching to attached.

Then, move to Site-to-Site VPN Connections and Create VPN Connection.

For the new VPN Connection, choose a name and pick the previously created Virtual Private Gateway and Customer Gateway. On Static IP Prefixes insert each network on your local side that will need to be accessed by AWS resources.

Leave all the other options as default and then create the VPN Connection.

On the next screen it will appear as pending, and after a while, will change to available.

Select the connection, go to Tunne Details, save the network CIDRs in there, that will be used later.

Go to Static Routes tab and check if your local network is there.

At the top of the screen, click into Download Configuration button, choose pfSense and save the provided TXT that will be used on the next steps.

Still into AWS Console, go to Route Tables and find the Route Table in use by your VPC.

After selecting the proper Route Table, go to Route Propagation tab and click Edit route propagation. Check the Propagate box and save.

Validate if the Propagate field changed to Yes on the previous screen.

Steps on Amazon are completed.

Part 2: pfSense side

• Go to VPN > IPSec > Add P1 as you would normally do.

• Use the instructions provided on the downloaded file to fill the P1 tunnel settings.

Save the settings matching what was provided and then Apply Changes on pfSense. P1 tunnels won’t be triggered until a P2 tunnel is set up.

To the next step, add a P2 tunnel:

Now, the trick:

Instead of picking Tunnel IPv4, set mode as Routed (VTI). Now we gonna use the Tunnel IPs provided on the AWS console.

Since each block is a /30, IPs are distributed as follows:

First IP: 169.254.43.192 — Network

Second IP: 169.254.43.193 — Is used on AWS side

Third IP: 169.254.43.194 — The one that should be used on pfSense

Fourth IP: 169.254.43.195 — Broadcast

Other settings are default as provided by AWS on the TXT file

To keep the tunnel UP, set ping to the AWS side IP

Repeat the same process for the second tunnel.

Now, go to Interfaces > Assignments

There you’ll have two new virtual network ports that you must add as interface

They will be created as new OPT interfaces, and must be renamed and enabled. It’s also a good idea to rename them to something related to the tunnel they belong to.

https://miro.medium.com/v2/resize:fit:640/format:webp/1*I8SxP2H6FCdsHcfSoYotrQ.png

After a while both tunnels will be up. You can validate that on AWS console.

For the last step, it’s important to set the routes on pfSense, so it will know how to reach private IPs on the other side of the tunnel. For that, go to System > Routing

Another important trick: to set routing, if your VPC has a CIRD /16 for example, one of the gateways will have the destination network matching the VPC IP and CIRD, and the second one will have two networks /17.

This way, the traffic will flow only through tunnel A. However, if it fails, it will be automatically routed through tunnel B.

Don’t forget to create a firewall rule on IPSec if you don’t have it already

And also don’t forget to set a security group to allow incoming connections to your AWS instances from your local network IPs.