Can't use Link-Local IP as unicast route gateway

Just setup a VTI / route-based VPN with a customer who is using AWS VPC.  Unfortunately, AWS side is using a link-local address (169.254.x.x/30) for the tunnel interfaces.  I was able to assign the xfrm interface the needed IP, I can ping the aws side interface as well.  The issue is I went to go and add a route to the VPC, but the WebAdmin won't allow this as it's a link-local address. Seems a lot of firewalls use this address space for this, so what kind of testing was done with RBVPNs in v18?

I was able to add this route in the advanced console, and reach the needed server in AWS, but I understand these kernel routes won't persist reboots, so what now?  Any scripts that I can inject at boot to insert this route?


ip route add 10.0.0.1 via 169.254.111.205 proto zebra



Edited TAGs
[edited by: emmosophos at 6:40 PM (GMT -7) on 15 Oct 2021]
Parents
  • Hi,

    because that address range is a none routable range. It is a self assigned address for a device failing to contact a DHCP server.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hello

    I understand it's not routable, I'm not trying to route this link local address space, just using it as next hop on a link. (fairly common with RBVPN).  Its a /30 between my local vti and the vti in AWS.  I'll have to see if the customer can setup dynamic routing and try to see if BGP will work.  I can't possibly be the first person to try static routing with AWS and a XG firewall.

    Have a ticket open, will have to see what premium support has to say, when they get around to it.

  • This is a limitation within the Kernel of SFOS - Yes technically this is possible. There are other limitation, which other products like AWS simply "ignore" and therefore they offer such config.

    I found, you can simply use Interface routing, and not use the gateway. The firewall will ARP the packet to the XFRM and AWS should pick up this. 

    See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125806/sophos-xg-firewall-set-up-ipsec-tunnel-between-aws-vpn-gateway-and-xg-v18-with-bgp

    You could also expand the XFRM Interface to /30 and it should not need a static route. 

    __________________________________________________________________________________________________________________

  • I appreciate the answer, but I guess I'm not following you when you say "interface routing", I see references in the article to BGP, so going to assume that's what you mean.  Unfortunately, I'm unable to use BGP because this customer's side is another one of their vendors and they are configured with static routing in AWS, and I believe it's hosting other customers so they won't change.

    I can do this with virtually any other firewall, so I don't get it.  Going to be a lot of work to replace ~75 XG firewalls in Azure with another vendor, but this on top of sub par support and numerous other limitations (some are top of list on https://ideas.sophos.com) is starting to weigh on our company and we are being pushed.

Reply
  • I appreciate the answer, but I guess I'm not following you when you say "interface routing", I see references in the article to BGP, so going to assume that's what you mean.  Unfortunately, I'm unable to use BGP because this customer's side is another one of their vendors and they are configured with static routing in AWS, and I believe it's hosting other customers so they won't change.

    I can do this with virtually any other firewall, so I don't get it.  Going to be a lot of work to replace ~75 XG firewalls in Azure with another vendor, but this on top of sub par support and numerous other limitations (some are top of list on https://ideas.sophos.com) is starting to weigh on our company and we are being pushed.

Children