[Openswan Users] Framed-Route problem - Openswan 2.4.5 + freeradius

Brian Candler B.Candler at pobox.com
Mon Apr 17 10:23:02 CEST 2006

On Sun, Apr 16, 2006 at 11:11:43PM +0200, Radek Antoniuk wrote:
> Yeah, the situation here is similar. But... my primary connection is the 
> LAN one. So.. I have internet connection through the LAN interface.
> And this way, "all other traffic" is wrong. Because it applies not only 
> to the tunneled packets but for the normal web request as well. I hope 
> it's clear now.

Do you mean: when the tunnel is up, you want *certain* subnets to be
reachable via the tunnel, but not the rest of the Internet?

In that case, you have to manually add routes to the destinations of
interest via the tunnel interface [or else you have to run a routing
protocol at both sides, e.g. RIP or BGP]

Remember that L2TP is really just PPP over the Internet. As far as I know,
in PPP there is no mechanism by which you can tell the remote end that
certain address ranges are reachable via this interface. IPCP just lets you
negotiate a single IP address for each end.

There do exist other IPSEC mechanisms for passing this policy information.
For example, if you use Cisco's XAUTH plus Mode Configuration, the VPN
concentrator can tell the client which networks are reachable via the
tunnel. To do this you will need a different client program (Cisco's
vpnclient should do) and configure your VPN concentrator very differently,
since you will be using IPSEC Tunnel Mode + XAUTH + Mode Config, instead of
IPSEC Transport Mode + L2TP + PAP/CHAP

I don't know how good openswan's XAUTH support is. (I've tried this with
ipsec-tools, but you have to use the very latest bleeding edge CVS version;
there's no release with XAUTH support)

> >>But, if I don't, I would have to manually add static route to the 
> >>networks I want to use. I've tried to use Framed-Route " 
> >> 1" and some combinations, but it doesn't get added to 
> >>the WinXP box.
> >At best, that would add a route on the tunnel terminator, not on the 
> >client.
> Well, tunnel terminator on the remote side you mean? Well, from what 
> I've read on google, Framed-Route applies to the client requesting the 
> address alongside with the Framed-IP and so on...

Framed-Route is a RADIUS attribute, and therefore is only seen by the RADIUS

So if you have:

                    L2TP/IPSEC                   RADIUS
   VPN client --------------------- VPN conc ------------> auth srv

then the RADIUS auth request goes from VPN conc to auth srv, and the
response goes from auth srv to VPN conc. The only place it can have any
effect is on the VPN conc.

The VPN conc cannot pass back a message down the L2TP/PPP session saying
"add this route", because a PPP message to that effect does not exist.

> So, is there any method for adding a static route on the XP side after 
> setting up the tunnel?

Batch file? But I don't know if there's a way to trigger it automatically on
tunnel up. Maybe if you use the Windows RAS API to do the dialling, you'll
get confirmation that the connection came up, and can add the routes at that



More information about the Users mailing list