This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't use Link-Local IP as unicast route gateway

Just setup a VTI / route-based VPN with a customer who is using AWS VPC. Unfortunately, AWS side is using a link-local address (169.254.x.x/30) for the tunnel interfaces. I was able to assign the xfrm interface the needed IP, I can ping the aws side interface as well. The issue is I went to go and add a route to the VPC, but the WebAdmin won't allow this as it's a link-local address. Seems a lot of firewalls use this address space for this, so what kind of testing was done with RBVPNs in v18?

I was able to add this route in the advanced console, and reach the needed server in AWS, but I understand these kernel routes won't persist reboots, so what now? Any scripts that I can inject at boot to insert this route?

ip route add 10.0.0.1 via 169.254.111.205 proto zebra

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 2 years ago in reply to NateP +1 suggested

This is a limitation within the Kernel of SFOS - Yes technically this is possible. There are other limitation, which other products like AWS simply "ignore" and therefore they offer such config. I found…

Parents

0 rfcat_vk over 2 years ago

Hi,

because that address range is a none routable range. It is a self assigned address for a device failing to contact a DHCP server.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 NateP over 2 years ago in reply to rfcat_vk

Hello

I understand it's not routable, I'm not trying to route this link local address space, just using it as next hop on a link. (fairly common with RBVPN). Its a /30 between my local vti and the vti in AWS. I'll have to see if the customer can setup dynamic routing and try to see if BGP will work. I can't possibly be the first person to try static routing with AWS and a XG firewall.

Have a ticket open, will have to see what premium support has to say, when they get around to it.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to NateP

This is a limitation within the Kernel of SFOS - Yes technically this is possible. There are other limitation, which other products like AWS simply "ignore" and therefore they offer such config.

I found, you can simply use Interface routing, and not use the gateway. The firewall will ARP the packet to the XFRM and AWS should pick up this.

See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125806/sophos-xg-firewall-set-up-ipsec-tunnel-between-aws-vpn-gateway-and-xg-v18-with-bgp

You could also expand the XFRM Interface to /30 and it should not need a static route.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 LuCar Toni over 2 years ago in reply to NateP

This is a limitation within the Kernel of SFOS - Yes technically this is possible. There are other limitation, which other products like AWS simply "ignore" and therefore they offer such config.

I found, you can simply use Interface routing, and not use the gateway. The firewall will ARP the packet to the XFRM and AWS should pick up this.

See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125806/sophos-xg-firewall-set-up-ipsec-tunnel-between-aws-vpn-gateway-and-xg-v18-with-bgp

You could also expand the XFRM Interface to /30 and it should not need a static route.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel

Children

0 NateP over 2 years ago in reply to LuCar Toni

I appreciate the answer, but I guess I'm not following you when you say "interface routing", I see references in the article to BGP, so going to assume that's what you mean. Unfortunately, I'm unable to use BGP because this customer's side is another one of their vendors and they are configured with static routing in AWS, and I believe it's hosting other customers so they won't change.

I can do this with virtually any other firewall, so I don't get it. Going to be a lot of work to replace ~75 XG firewalls in Azure with another vendor, but this on top of sub par support and numerous other limitations (some are top of list on https://ideas.sophos.com) is starting to weigh on our company and we are being pushed.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to NateP

Try a static interface route. It should work. Instead of gateway, choose the XFRM.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel