Eu obtive o IPSec para o AWS configurado no PFSense.
Não fornecerei um guia de clique por clique, mas mostrarei como é nossa configuração de trabalho. Repalque variáveis incorporadas com %%
PH1
<phase1>
<ikeid>6</ikeid>
<interface>lan</interface>
<remote-gateway>%%AWS_GW_IP%%</remote-gateway>
<mode>main</mode>
<protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data/>
<peerid_type>peeraddress</peerid_type>
<peerid_data/>
<encryption-algorithm>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>%%AWS_PSK%%</pre-shared-key>
<private-key/>
<certref/>
<caref/>
<authentication_method>pre_shared_key</authentication_method>
<generate_policy/>
<proposal_check/>
<descr><![CDATA[ VPC AWS ]]></descr>
<nat_traversal>off</nat_traversal>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>2</dpd_maxfail>
</phase1>
PH2
<phase2>
<ikeid>6</ikeid>
<mode>tunnel</mode>
<localid>
<type>network</type>
<address>%%YOUR_NETWORK%%</address>
<netbits>%%MASK%%</netbits>
</localid>
<remoteid>
<type>network</type>
<address>%%VPC_NETWORK%%</address>
<netbits>%%MASK%%</netbits>
</remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<pinghost>%%HOST TO CHECK%%</pinghost>
<descr><![CDATA[VPC AWS]]></descr>
</phase2>
Até onde eu sei, configurar dois túneis para que eles funcionem de forma redundante não é possível no PF.