As you know AWS uses private IP address block in VPC. If you install a Pfsense as a NAT Instance, you will see private IP for WAN interface. You can assign en Elastic IP but it will not be visible by ec2 instance.
For that reason, If you are creating a IPSec tunnel you need to set Peer identifier under Phase 1 Proposal (Authentication) on other remote peer of pfsense on AWS.
If you use public IP address of pfsense as Peer identifier you will get
IDir ‘10.1.1.1’ does not match to ‘X.X.X.X’ (X.X.X.X is Elastic IP of AWS pfsense)
Choose ‘IP address’ as Peer Identifier(default: Peer IP Address) and enter IP address of pfsense ec2 instance WAN IP(10.1.1.1 in this example)
One of the big problem with cloud providers (AWS, Azure etc) does not provide console login to the server. If sshd does not start at boot time then you are in big trouble!
Luckily, Azure support team told me about Azure linux extension to run a script on virtual machine as root.
Here is the very comprehensive article about this extension;
Unfortunately, there is not way to get a output of the executed commands. Maybe you can send the output outside of the server via curl,ftp or email 🙂
If you are going to deploy pfsense on AWS. https://www.netgate.com/docs/aws-vpn-appliance/vpc-guide.html document is pretty good.
But there is a one important point that you should take care.
Be sure that Source/Dest. Check: false on both ethernet interfaces(eth0 and eth1) of pfsense instance.
If you select the pfsense instance and disable source/destination check from the menu like above. It will disable only one interface(eth0)
Unfortunately, private ethernet interface eth1 Source/Dest. Check status will stay Enabled.
You have to go to the network interfaces section on the left and find your eth1 interface then disable it choosing Action-> Networking->Change source/Dest. Check
also do not forget to create NAT rules on pfsense.