[Openswan Users] Cisco IP Redirect and L2TP

Nico Baggus mlfreeswan at noci.xs4all.nl
Wed Dec 5 15:12:38 EST 2007

> > So maybe it is possible to define some kind of packethandling on the
> > openswan-box? the "no ip redirect" setting on the cisco is done for
> > security reasons and should not be disabled for always.
> What does "ip redirect" do? Does it alter other settings on the cisco?

Redirect means that a a Cisco send an ICMP packet back to tell the previous 
hop at what MAC address the actual interface is if the interfaces are on the 

EXTERNAL NET                                   LAN
                                             [CISCO]       [OTHERDEV]
                                         Internal net.

In this case when the the modem has a Route for all internal addresses to 
the CISCO. When the device in one case actual is OTHERDEV and the CISCO knows 
that a part is behind the OTHERDEV, then the CISCO will send a ICMP REDIRECT 
Containing a reference to the intended target.

Without redirect no traffic will pass to OTHERDEV.
If the Router/Modem doesn't handle ICMP redirect you have a problem when on

In short,
This condition exists if the Router/Modem doesn;'t known about ICMP Rirects [ 
broken implementation] It should act on them or issue a message that it is 
unable to route upstream.
And the ROUTING on the Router/Modem is not configured to correctly address the 

RFC 792, ICMP Type 5


Kind Regards,
Nico Baggus

More information about the Users mailing list