Can't use Link-Local IP as unicast route gateway

Question

Just setup a VTI / route-based VPN with a customer who is using AWS VPC. Unfortunately, AWS side is using a link-local address (169.254.x.x/30) for the tunnel interfaces. I was able to assign the xfrm interface the needed IP, I can ping the aws side interface as well. The issue is I went to go and add a route to the VPC, but the WebAdmin won't allow this as it's a link-local address. Seems a lot of firewalls use this address space for this, so what kind of testing was done with RBVPNs in v18? 
 
 I was able to add this route in the advanced console, and reach the needed server in AWS, but I understand these kernel routes won't persist reboots, so what now? Any scripts that I can inject at boot to insert this route? 
 ip route add 10.0.0.1 via 169.254.111.205 proto zebra

LuCar Toni · Answer

This is a limitation within the Kernel of SFOS - Yes technically this is possible. There are other limitation, which other products like AWS simply "ignore" and therefore they offer such config. 
 I found, you can simply use Interface routing, and not use the gateway. The firewall will ARP the packet to the XFRM and AWS should pick up this. 
 See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125806/sophos-xg-firewall-set-up-ipsec-tunnel-between-aws-vpn-gateway-and-xg-v18-with-bgp 
 You could also expand the XFRM Interface to /30 and it should not need a static route.

LuCar Toni · Answer

Try a static interface route. It should work. Instead of gateway, choose the XFRM.

Can't use Link-Local IP as unicast route gateway

Top Replies