Learn how to configure BGP over IPsec from pfSense to AWS. Our pfSense Support team is here to help you with your questions and concerns.
How to Configure BGP over IPsec from pfSense to AWS
Did you know that configuring Border Gateway Protocol over IPsec from a pfSense firewall to AWS involves several steps to set up a secure and efficient connection between the local network and AWS?
An Overview:
- Step 1: Configure BGP on pfSense
- Step 2: Validate BGP and IPsec Configuration
- Step 3: Simulate Failover and Validate Redundancy
- Step 4: Configure HA IPsec VPN with BGP Dynamic Routing
- Step 5: Install and Configure FRR Package
- Step 6: Configure BGP Neighbors
Step 1: Configure BGP on pfSense
- If we already have a BGP setup, we can view the current BGP status by going to Services > FRR BGP > Status.
- Also, in the BGP routing table, we will see the LAN route and routes learned from ASN 64515.
- So, make sure that the desired LAN networks are being advertised through BGP.
- Then, add two BGP peers for the AWS tunnels. So, go to Services > FRR BGP > Neighbors, then click Add.
- Next, it is time to configure BGP peering for the First Tunnel. So, enter the details from the AWS configuration file:
- Customer Gateway ASN: `65000`
- Virtual Private Gateway ASN: `62351`
- Neighbor IP Address: `158.254.202.87`
- Neighbor Hold Time: `30`
- Also, enter the neighbor IP address, add a description, set the Remote AS to AWS’s ASN (`62351`), and set the Update Source to `Ipv4`.
- Then, apply the route map for inbound and outbound traffic and click Save.
- Now, it is time to configure BGP peering for the Second Tunnel. So, we can follow the same steps as the first tunnel, but use the details for the second AWS tunnel:
- Customer Gateway ASN: `65000`
- Virtual Private Gateway ASN: `62351`
- Neighbor IP Address: `158.254.202 25`
- Neighbor Hold Time: `30`
Repeat the configuration steps and make sure the route map allows the routes from the second neighbor.
- Then, click Save.
Step 2: Validate BGP and IPsec Configuration
- Now, check the BGP Status on pfSense. So, go to Status > FRR > BGP.
- Then, verify that new routes toward the AWS subnet are being learned. The route with the lowest metric will be chosen, indicated by the “>” symbol.
- Now, log in to the AWS console and go to “Site-to-Site VPN Connections”. Select the VPN connection and check that the status is Up.
- Next, verify the number of routes learned under the tunnel details.
- Then, go to VPC > Routing Table > Routes and ensure all the routes propagated from the VPN gateway are visible and marked as propagated.
- Next, test connectivity from an EC2 instance in AWS. For example:
[ec2-user@ip-172-31-15-103 ~]$ ping 1.1.1.1 -c 2
[ec2-user@ip-172-31-15-103 ~]$ traceroute 1.1.1.1
- Finally, confirm the traffic is taking the expected path.
Step 3: Simulate Failover and Validate Redundancy
- Block access to the public IP of the active AWS tunnel to simulate an outage. The tunnel should go down within a few seconds.
- Also, check the routing table to ensure it has been updated to use the secondary tunnel for traffic to AWS.
- Then, run a traceroute again to confirm the traffic is now using the standby path:
[ec2-user@ip-172-31-15-103 ~]$ traceroute 1.1.1.1
Step 4: Configure HA IPsec VPN with BGP Dynamic Routing
- On both pfSense firewalls, create two IPsec Site-to-Site VPNs with Routed IPsec (VTI). Configure Phase 1 for both VPNs on each site.
- Now, use Mode Routed (VTI) and create a transit network with a `/30` subnet mask.
- Then, go to Interfaces > Assignments and assign and enable the new IPsec interfaces. The IP should be automatically assigned.
- Also, ensure firewall rules are in place to allow traffic between remote and local sites through the IPsec tunnel.
Step 5: Install and Configure FRR Package
- Go to System > Package Manager > Available Packages and search for `bgp` or `frr`. Install the package on both the master and slave servers.
- Then, go to Services > FRR Global/Zebra Configuration and add a route map to allow exchanging all routes with the peer.
- Next, go to Services > FRR BGP and configure the BGP protocol for each site. Set the internal IP from the LAN interface as the router IP.
Step 6: Configure BGP Neighbors
- First, go to Neighbors and create a neighbor called BGP. Set both inbound and outbound route map filters to ALLOW-ALL.
- Then, add the neighbors and use the peer group BGP configuration.
- Next, go to Services > FRR > Status > BGP and validate the settings in the BGP table.
- Finally, verify the advertised routes from the other peer under Diagnostics > Routes.
[Need assistance with a different issue? Our team is available 24/7.]
Conclusion
With the above steps, we will have a robust BGP configuration over IPsec between the pfSense firewall and AWS, ensuring secure and efficient routing with redundancy and failover capabilities.
In brief, our Support Experts demonstrated how to configure BGP over IPsec from pfSense to AWS.
0 Comments