How to connect IPFIRE to Amazon's site-to-site VPN (AWS)?

Hello everyone,

I want to set up an IPSEC VPN tunnel to Amazon’s site-to-site VPN service. I have retrieved the VPN configuration file after setting up the service on my Amazon AWS console and have started filling in the fields on my Ipfire to configure IPSEC.

Here is my configuration

Connection: AWS

  • local subnet: I specified my Green network
  • Remote host/ip: I specified the ip of what Amazon calls the outside IP addresses of the virtual private gateway
  • Remote subnet: I specified

IPsec Setting

  • Mode: Tunnel
  • Interface -None (default)
  • MTU: 1436
  • Ip address/Subnet Mask: I left it blank


  • Use a pre-shared key: I have specified the Pre-Shared Key provided by Amazon

In the advanced menu

  • Keyexchange: IKEv1
    Encryption IKE: I left the default checked
    Encryption ESP: I left the default checked
    Integrity IKE: I left the default checked
    Integrity ESP: I left the default checked
    Lifetime IKE: 8 hours
    Lifetime ESP: 1 hour
    Groupptype: I left the default checked

Dead peer Detection
Action: restart
Timeout: 120
Delay: 30

IKE+ESP = checked
Perfect Forward Secrecy (PFS): checked
Start action: On demand
Inactivity Tiemout: 15 min

The VPN shows connected but no route is created and I have no IP address associated on the Ipfire GUI homepage !

I would really appreciate your help :wink:

Hi everybody,

It’s ok now with the 1st tunnel. However, with AWS we have 2 tunnels (for redundancy). How can I connect the 2nd tunnel for redundancy ?
Indeed, if I connect the 2nd tunnel, there will be a routing problem because I cannot have a route to 1 network with 2 gateways that are different (the gateway of tunnel 1 and the gateway of tunnel 2) !
How can I get my 2 ipsec tunnels to work ?
Currently, if I activate both tunnels at the same time, my VPN network is not functional :frowning:
I have to choose either one or the other…it’s not a very redundant process :wink:



is is possible to connect one (or more) IPFire instance to AWS like this. You will need to set up two tunnels and establish a BGP session over it for fail-over routing.

The dynamic routing is required so that both ends of the VPNs can decide which one is the best way to route traffic and always keep it up.

AWS will give you all the details you need to set this up in the document you can download when creating the connection on the VPC console.

Hi Michael,

Thanks for your reply.
My 2 VPN tunnels are working. The problem is that I don’t know how to set up the failover (How do I activate BGB session on Ipfire?) on Ipfire.
At the moment I activate 1 tunnel or the other one if there is a problem with 1 of the 2 tunnels and this by checking 1 of the 2 tunnels in the interface.
What procedure should I apply to set up the failover automatically with ipsec ?


IPsec doesn’t know failover. It provides connectivity from one place to another. You will have to have both tunnels active at the same time.

The difference is only which tunnel carries the traffic. It could even be both.

There is no way to set up BGP over the GUI. Currently, there is Bird and FRR available as dynamic routing daemons. Install those and setup your desired configuration with your desired failover behaviour.

But…should I use Bird and FRR or choose one of the two ?
because…I have the impression that they do the same thing?

Yes, the both do the same thing, but have slightly different feature sets.

I personally prefer Bird, but it is entirely up to you.

I’m going to install only Bird for now…do you have a good tutorial for me ?

this might help get you started:

I always write the configuration files from scratch because it is very often a very custom scenario to build.

The documentation that Jon wrote and linked has all the things relevant to IPFire.

I totally forgot to mention that you could use IPFire on AWS to avoid using Amazon’s builtin VPN if that is an alternative for you.

You could then connect two IPFire systems as usual and there is nothing special about it just because one instance is in the cloud:

It is now also available on ARM :slight_smile:

Hi everybody,

Thanks @jon and @ms for your replies !

@jon I had already seen this doc on the Ipfire wiki but it was too general and didn’t really explain how to set up a config with an example. It won’t really help me to configure Bird.

@ms thank you for this alternative…I hadn’t thought about that and it would be interesting to study this possibility if I can’t do it with Bird because…connecting Ipfire appliances together I know how to do it (I currently have 3 and soon 4) :wink:

Many thanks for your help :wink:

Hi everybody,

For my failover problem above, I’m going to call Team Ipfire to set it up because the problem is quite complex for me to do without a HOWTO to guide me.

Also, in setting up this Ipsec connection to AWS I noticed something weird from my BLUE network (wifi). Indeed, from my Wifi network (BLUE), I can’t access my web server which is at AWS (EC2 Instance with a private address in the VPC) …via the Ipsec VPN connection mounted on my Ipfire firewall.
I specify that from my other LAN network I have no problem, all authorized requests pass.
However, in the firewall I have set the rules allowing to open from the BLUE interface (Wifi) the HTTPS and ICMP protocol to the server at AWS. And this, in both directions.

When I try for example a PING from my server at AWS, I see, thanks to the tcpdump command on my Ipfire firewall, that the request arrives well through the IPsec tunnel but this one is not redirected then by the firewall towards the BLUE network (wifi).
And vice versa, when I try to PING from the BLUE network (Wifi) to the server at AWS, the request arrives on the firewall but is not redirected to the ipsec tunnel :frowning:

The firewall knows the route to my web server at AWS since I have no problem from my LAN.
I don’t understand where this is blocking :frowning:
Should I manually add an iptables rule ? Or is there something missing in my ipsec config ?

Thanks in advance

You can enable logging for those rules to find out which one is the one that is blocking more than you intend.

Otherwise I would recommend against adding your own iptables rules because mistakes are easy to make and they will run in a different place in the firewall which might impact other features like the IPS.