Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is it possible to use IPv4 link-local addresses in IPsec tunnel?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 795 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jesperfr
      last edited by

      Hi,
      Is it possible to use IPv4 Link-local addresses in a IPsec tunnel.

      I'm trying to setup a IPsec tunnel, where the remote end is using link-local addresses, but I can't get it to work. It seems that packets to these addresses are not being tunneled.

      Blocking of link-local addresses is disabled

      Firewall version:
      PFsense
      Version 2.4.2-RELEASE-p1 (amd64)
      built on Tue Dec 12 13:45:26 CST 2017
      FreeBSD 11.1-RELEASE-p6

      Any good ideas.

      Thanks in advance

      Rgds,

      Jesper

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        No. Link local addresses are not supposed to be routed, which means they work no further than the local LAN. Use something in the RFC1918 ranges.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • J
          jesperfr
          last edited by

          That was also what I expected, but AWS uses these addresses, and I'm trying to set up a tunnel towards AWS

          https://forums.aws.amazon.com/thread.jspa?threadID=169512

          Rgds,

          Jesper

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Within AWS is different they only use them for one-hop of routing, not for NAT or other things. You can't reach them from outside that interface. You shouldn't see any traffic to/from those IP addresses except maybe BGP.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.