[Openswan Users] IPSec+L2TP server-side routes to client

Brett Cave brett at jemstep.com
Mon Mar 12 11:32:38 EDT 2012 

On Mon, Mar 12, 2012 at 4:55 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 12 Mar 2012, Brett Cave wrote:
>
>  I have an openswan IPSec + xl2tpd server configuration and was wondering
>> if there was a way to send routes to the
>> clients from the server side? I get this functionality when I connect to
>> Cisco IPSec gateways, and I know MS IPSec
>> server implementations support this too. I'm guessing this would be
>> something that pppd would do, configured through the
>> xl2tp options? Or would I need to configure BGP to get this working? The
>> main objective is to provide routes to clients
>> without client-side route configuration.
>>
>
> I don't think that is supported with L2TP?
>
> If it is some negotiated option, then I'm sure we could add support for
> it, either in xl2tpd or pppd.
>

After searching some more, looks like it isn't possible, as pppd uses it's
own internal implementation of IP address assignment to clients, and it
doesn't support the sending of routes to the client. I've come across a few
discussions in forums saying that the ability to hook in DHCP would be
great, and that RIP is 1 viable solution to use for the time being. If this
could be done added into an openswan + l2tp implementation, I think a lot
of people would find it useful.

Here are 2 discussions I came across, discussing the protocols:
http://forum.mikrotik.com/viewtopic.php?f=14&t=56079
http://forum.mikrotik.com/viewtopic.php?f=8&t=10405



I also had a problem with setting up subnets > /24 mask - with xl2tpd and
pppd's chap-secrets
examples (server side) - only tested with a few connections:
username   l2tp    "pass"    192.168.1.0/24        # assigns IP from the
192.168.1.0/24 range correctly
user2         l2tp    "pass"    192.168.1.14           # assigns IP
correctly
user3         l2tp    "pass"    192.168.1.0/28        # assigns IP within
range, but only 2 or 3 clients connected. guessing this might not work as
per example below
user4         l2tp    "pass"    192.168.1.16/28       # fails

xl2tpd.conf has:
[lns default]
ip range = 192.168.10.2-192.168.10.46
local ip = 192.168.10.1

Any way to assign different /28 subnets to specific users with this
implementation?

Thanks
Brett


>
> Paul
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120312/530e9312/attachment.html>

More information about the Users mailing list