Is it possible to use IPv4 link-local addresses in IPsec tunnel?

jesperfr · Nov 8, 2018, 11:17 AM

Hi,
Is it possible to use IPv4 Link-local addresses in a IPsec tunnel.

I'm trying to setup a IPsec tunnel, where the remote end is using link-local addresses, but I can't get it to work. It seems that packets to these addresses are not being tunneled.

Blocking of link-local addresses is disabled

Firewall version:
PFsense
Version 2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p6

Any good ideas.

Thanks in advance

Rgds,

Jesper

JKnott · Nov 8, 2018, 11:45 AM

No. Link local addresses are not supposed to be routed, which means they work no further than the local LAN. Use something in the RFC1918 ranges.

jesperfr · Nov 8, 2018, 11:58 AM

That was also what I expected, but AWS uses these addresses, and I'm trying to set up a tunnel towards AWS

https://forums.aws.amazon.com/thread.jspa?threadID=169512

Rgds,

Jesper

jimp · Nov 8, 2018, 6:43 PM

Within AWS is different they only use them for one-hop of routing, not for NAT or other things. You can't reach them from outside that interface. You shouldn't see any traffic to/from those IP addresses except maybe BGP.