AWS VPC VPN wizard produces incorrect config (SHA256 should be SHA1)
I was trying to create a site-to-site VPN to my AWS default VPC in the us-west-2 region using the AWS VPC VPN Wizard on my Netgate SG-1100. After going through the configuration, I found that I could not get the VPN to connect. Looking at the log at Status / System Logs / IPsec I noticed the error message "received NO_PROPOSAL_CHOSEN error notify", which apparently indicates a phase 1 encryption algorithm mismatch.
I downloaded a pfsense configuration from AWS for the site-to-site VPN connection, and it indicated that the phase 1 hash algorithm should be SHA1. However, in looking at the Phase 1 settings created by the wizard, the phase 1 hash algorithm was set to SHA256. I went to VPN /IPSec / Tunnels and manually changed the phase 1 hash algorithms for the tunnels to SHA1, saved both, and then applied the changes. I was then able to click "Connect" and get the VPN tunnels established. I confirmed the connection by pinging a Linux EC2 instance in AWS, then logged into the instance via ssh (using its private IP address) and was able to ping and ssh back into my own network.
So the wizard appears to be setting up the phase 1 encryption algorithm incorrectly, at least for the AWS region I'm using (us-west-2 in commercial AWS).
I have uploaded a complete set of screenshots, backup files, and steps to reproduce to https://civilityandtruth.com/assets/texts/netgate-inc-26504.tar.gz (This file is slightly too large to attach to this report).
Here are the steps to reproduce. The references to filenames are to files in the netgate-inc-26504.tar.gz linked to above, and the steps are taken from the file inc-26504-steps-to-reproduce.txt included in the tar.gz file.
1. Start with pfSense and AWS initial state: * Netgate SG-1100 running pfSense 2.4.4-RELEASE-p2 (arm64) * Backup of pfSense configuration (config-gw.fhecker.com-20190430121437.xml) * No AWS IPsec VPN defined (inc-26504-ss-01.png) * Single default VPC defined in AWS us-west-2 region (inc-26504-ss-02.png) * No customer gateway defined (inc-26504-ss-03.png) * No virtual private gateway defined (inc-26504-ss-04.png) * No site-to-site VPN defined (inc-26504-ss-05.png)
2. Start AWS VPC VPC configuration wizard (inc-26504-ss-06.png)
3. On step 1, select us-west-2 region, click Next (inc-26504-ss-07.png)
4. On step 2, select default VPC, click Next (inc-26504-ss-08.png)
5. On step 3, accept default values, click Next (inc-26504-ss-09.png)
6. Chrome waits for response for approx. 3 minutes (inc-26504-ss-10.png)
7. Chrome displays "504 Gateway Time-Out" message (inc-26504-ss-11.png)
8. Hit reload button and click Continue to resubmit (inc-26504-ss-12.png)
9. pfSense shows step 4 screen, click Next (inc-26504-ss-13.png)
10. Final screen of wizard, click Next (inc-26504-ss-14.png)
11. Tunnels show as disconnected, click Connect on first (inc-26504-ss-15.png)
12. IPsec log shows "received NO_PROPOSAL_CHOSEN error notify"
13. Take backup of pfSense (config-gw.fhecker.com-20190430122509.xml)
14. Edit tunnel, phase 1 hash algorithm shows as SHA256 (inc-26504-ss-17.png)
15. Look at phase 2 info for tunnel (inc-26504-ss-18.png)
16. Download configuration from AWS for site-to-site VPN (inc-26504-ss-19.png)
17. Select configuration download for pfSense (inc-26504-ss-20.png)
18. Configuration file says phase 1 hash algorithm should be SHA1
19. Edit the first tunnel, change hash algorithm to SHA1 (inc-26504-ss-21.png)
20. Edit the second tunnel, make the same change (inc-26504-ss-22.png)
21. Apply the changes (inc-26504-ss-23.png)
22. Status screen now shows VPN tunnels as connected. (inc-26504-ss-24.png)
23. Take final backup of pfSense (config-gw.fhecker.com-20190430123055.xml)
#1 Updated by Frank Hecker 8 months ago
Sorry, forgot to add: in looking over the download configuration from AWS, I noticed that it also recommends the Phase 1 DH-Group be set to 2; the original configuration from the wizard had it set to 14. I changed the tunnels to set the DH-Group to 2, applied the changes, and forced a reconnect on the tunnels. The tunnels connected properly and are working fine.