Well, as it happens, I resolved this within 60 seconds of hitting send. :) On the side behind NAT, I need to change my identifier to "IP Address" instead of "My IP Address", and listed the public IP of the instance. At that point, everything came up as expected.
-Erik On Mon, Oct 24, 2016 at 8:55 PM, Erik Anderson <[email protected]> wrote: > Hello - > > I recently deployed the Netgate pfSense appliance into an AWS VPC. Due > to how AWS handles their networking, all traffic to/from servers there > to the public internet transit a 1:1 NAT. So the IP address that is on > my pfSense router's WAN interface differs from its true public IP. > > I should note that I have pfSense on both sides - 2.3_RELEASE on the > non-AWS side and 2.3.2_RELEASE inside AWS. > > As I expected when setting out to do this, I ran into some IPsec > related issues when trying to bring up a tunnel. I've set up tunnels > dozens of times between pfsense and other IPsec stacks without issue - > this is the first time I've been stumped, and I'm certain it has > something to do with the fact that the traffic transits a NAT on the > way to the pfsense WAN interface. > > When I try and bring up the tunnel, I see these logs on the non-AWS end: > > http://hastebin.com/uyodoqubem.css > > ...and these on the AWS pfsense: > > http://hastebin.com/dinogaliyi.vbs > > Any ideas what could be going wrong here? > > This log message "found 1 matching config, but none allows pre-shared > key authentication using Main Mode" seems like a red herring, as I've > been through the P1 configs on both sides many times to make sure that > parameters match. > > Thanks all - > Erik _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
