Aviatrix Gateway to pfSense

This document describes how to configure an IPsec tunnel between an Aviatrix Gateway and a pfSense firewall using Aviatrix Site2Cloud.

Adding a Site2Cloud Tunnel in Aviatrix Controller

Log in to your Aviatrix Controller.
Select Site2Cloud on the left navigation bar.
Click + Add New near the top of the Site2Cloud tab.

Under Add a New Connection, enter the following:

Field	Expected Value
VPC ID / VNet Name	Select the VPC/VNet where this tunnel will terminate in the cloud.
Connection Type	Unmapped unless there is an overlapping CIDR block.
Connection Name	Name this connection. This connection represents the connectivity to the edge device.
Remote Gateway Type	Generic
Tunnel Type	UDP
Algorithms	Unmark this checkbox
Encryption over ExpressRoute/ DirectConnect	Unmark this checkbox
Enable HA	Unmark this checkbox
Primary Cloud Gateway	Select the Gateway where the tunnel will terminate in this VPC/VNet.
Remote Gateway IP Address	IP address of the pfSense device.
Pre-shared Key	Optional. Enter the pre-shared key for this connection. If nothing is entered one will be generated for you.
Remote Subnet	Enter the CIDR representing the network behind the edge device that this tunnel supports.
Local Subnet	The CIDR block that should be advertised on pfSense for the cloud network (will default to the VPC/VNet CIDR block)

Field

Expected Value

VPC ID / VNet Name

Select the VPC/VNet where this tunnel will terminate in the cloud.

Connection Type

Unmapped unless there is an overlapping CIDR block.

Connection Name

Name this connection. This connection represents the connectivity to the edge device.

Remote Gateway Type

Generic

Tunnel Type

UDP

Algorithms

Unmark this checkbox

Encryption over ExpressRoute/ DirectConnect

Unmark this checkbox

Enable HA

Unmark this checkbox

Primary Cloud Gateway

Select the Gateway where the tunnel will terminate in this VPC/VNet.

Remote Gateway IP Address

IP address of the pfSense device.

Pre-shared Key

Optional. Enter the pre-shared key for this connection. If nothing is entered one will be generated for you.

Remote Subnet

Enter the CIDR representing the network behind the edge device that this tunnel supports.

Local Subnet

The CIDR block that should be advertised on pfSense for the cloud network (will default to the VPC/VNet CIDR block)

Click OK.

Creating an IPsec Tunnel in pfSense

Log in to your pfSense dashboard.
In the VPN menu, select IPsec.
Click + Add P1.

Populate the fields according to your preferences. The important fields are (with extra emphasis on a few key fields):

General Information

Field	Expected Value
Key exchange version	IKEv1
Remote Gateway	Enter the public IP address of the Aviatrix Gateway here.

Field

Expected Value

Key exchange version

IKEv1

Remote Gateway

Enter the public IP address of the Aviatrix Gateway here.

Phase 1 Proposal

Field	Expected Value
Authentication Method	Mutual PSK
My identifier	My IP address
Peer identifier	IP address. Enter the Public IP address of the remote Aviatrix Gateway
Pre-Shared Key	Enter the PSK from the Site2Cloud tunnel creation step.

Field

Expected Value

Authentication Method

Mutual PSK

My identifier

My IP address

Peer identifier

IP address. Enter the Public IP address of the remote Aviatrix Gateway

Pre-Shared Key

Enter the PSK from the Site2Cloud tunnel creation step.

Phase 1 Proposal (Algorithms)

Field	Expected Value
Encryption Algorithm	AES - 256 bits
Hash Algorithm	SHA1
DH Group	2 (1024 bit)

Field

Expected Value

Encryption Algorithm

AES - 256 bits

Hash Algorithm

SHA1

DH Group

2 (1024 bit)

Advanced Options

Field	Expected Value
Disable rekey	Unchecked

Field

Expected Value

Disable rekey

Unchecked

Click Save.
Add a Phase 2 entry.
Save the Phase 2 entry.
Test to make sure the tunnel is up.