[Openswan Users] IPSec+L2TP server-side routes to client

Paul Wouters pwouters at redhat.com
Mon Mar 12 14:25:39 EDT 2012

On Mon, 12 Mar 2012, Brett Cave wrote:

> I'm a little confused about 1 thing: if chap-secrets has and xl2tpd has ip range =, then
> will what manages the address pool - pppd or l2tpd?

It is a little confusing. I believe xl2tpd handles the pool and passes
the IP to pppd. I believe pppd might verify the IP it got passed from
xl2tpd falls within the pool.

I personally only assign as follows:

- static ips in chap-secrets are outside the xltpd "ip range" pool.
- subnets in chap-secrets are within the xl2tpd "ip range" pool.

> Because if i use in chap-secrets, then either pppd does not parse CIDR addresses correctly or xl2tpd is
> handing out IPs from it's configured range (e.g. if the user with .1.16/28 is the first client to connect, i get an
> error in the logs that the user tried to connect with but access was denied as per chap-secrets
> configuration)
> But if I use in chap-secrets, then it definitely seems that pppd is handing out the IP's, because the user
> gets the static mapping.

That's the behaviour I see too.

If someone wants to dive in the code and have a look, and fixup the
documentation, that would be great :)


More information about the Users mailing list