[Openswan Users] WinXP w/FreeRadius routing problem
Brian Candler
B.Candler at pobox.com
Mon May 8 13:56:43 CEST 2006
On Mon, May 08, 2006 at 01:42:39PM +0200, Radek Antoniuk wrote:
> The question is simple:
> When using L2TP IPsec on WinXP, how to dynamically add routing to the
> ipsec network on the windows side after successful connection? ( just to
> be precise: i've turned off the option "use default gateway on the
> remote network")
Well, L2TP/IPSEC is really PPP over L2TP over IPSEC, so the question really
boils down to: how do you add routes to the client end over a PPP session?
Unfortunately, I'm not aware of any standard mechanism in PPP which can do
this. IPCP will only negotiate a single IP address for each side.
So, the client side will either need to manually add routes to the desired
destinations via the PPP interface (e.g. in a batch file), or else you could
run a routing protocol like RIP or OSPF over the PPP link, with the
corresponding complexity and security risks [*].
In either case, this is outside of the scope of IPSEC or Openswan. As far as
Openswan is concerned, it is securing a single transport-mode connection
between one IP endpoint and itself.
(The normal approach taken by most corporate security policies is to force
all traffic down the tunnel. This ensures that Internet access passes
through the corporate firewall, and that the endpoint is not open to direct
attack from the Internet while the tunnel is up)
HTH,
Brian.
[*] If you made a RIP routing daemon which announced the availability of
certain networks, but did not actually accept any RIP updates, then it would
be reasonably secure. You can probably configure gated/zebra/quagga to do
that; but I don't know what you'd run at the Windows side.
More information about the Users
mailing list