[Openswan Users] IPSec+L2TP server-side routes to client

Paul Wouters pwouters at redhat.com
Mon Mar 12 11:38:31 EDT 2012

On Mon, 12 Mar 2012, Brett Cave wrote:

> After searching some more, looks like it isn't possible, as pppd uses it's own internal implementation of IP address
> assignment to clients, and it doesn't support the sending of routes to the client. I've come across a few discussions in
> forums saying that the ability to hook in DHCP would be great, and that RIP is 1 viable solution to use for the time
> being. If this could be done added into an openswan + l2tp implementation, I think a lot of people would find it useful.
> Here are 2 discussions I came across, discussing the protocols:
> http://forum.mikrotik.com/viewtopic.php?f=14&t=56079
> http://forum.mikrotik.com/viewtopic.php?f=8&t=10405

I don't think anyone wants RIP to continue anywhere :/

> I also had a problem with setting up subnets > /24 mask - with xl2tpd and pppd's chap-secrets
> examples (server side) - only tested with a few connections:
> username   l2tp    "pass"        # assigns IP from the range correctly
> user2         l2tp    "pass"           # assigns IP correctly
> user3         l2tp    "pass"        # assigns IP within range, but only 2 or 3 clients connected.
> guessing this might not work as per example below
> user4         l2tp    "pass"       # fails
> xl2tpd.conf has:
> [lns default]
> ip range =
> local ip =
> Any way to assign different /28 subnets to specific users with this implementation?

I would define "ip range" to be a CIDR, and not an arbitrary range
eg: ip range =

then use in chap-secrets
Note that if you assign staticly, it should NOT be in
the "ip range" or else it will ALSO get assignd from the pool.
For static single ip assignments use a seperate range that is not
part of "ip range".

> Thanks
> Brett
>       Paul
> --

More information about the Users mailing list