VPN, L2TP, and problems with netmasks...

Discussion in 'Linux Networking' started by Marcin £ukasik, Jan 23, 2012.

  1. Hello,

    Not exactly a Linux networking question, but please forgive me (but I'm pretty sure the firewall runs Linux).

    I've set up a L2TP VPN on SonicWall NSA240 firewall.
    It works. But it doesn't when I split the network in two subnets. is my office, is allocated for VPN users.
    The problem occurs while accessing over VPN.
    It works on Windows, since Windows adds route via VPN ("class-based route addition"). So when I say ping 10.9.8.x it works fine, since the packet goes over the VPN.
    But on Mac this doesn't work, since Mac assumes a netmask of, therefore packet destined for 10.9.8.x goes via my default gateway, not VPN, and never reaches the host.

    I found out that the only settings you can get over VPN are remote/local IPs of the tunnel and router's IP address.

    My questions are:
    1) What protocol is used to assign these IP settings to the client?
    2) How the heck did this work in the past on an Apple server? We had two subnets too...

    Thanks a lot in advance!
    Marcin £ukasik, Jan 23, 2012
    1. Advertisements

  2. Hello,

    Marcin Lukasik a écrit :
    This is so wrong, even it does what you need.
    Classes are deprecated.
    As L2TP usually transports PPP sessions, I guess it is IPCP, the
    protocol used by PPP to negotiate IP parameters such as the remote and
    local addresses is IPCP. AFAIK, it does not allow to "push" routes like
    OpenVPN does. So you need to add the route by other means when the
    tunnel is up. Any decent PPP software should be able to do it.
    Pascal Hambourg, Jan 23, 2012
    1. Advertisements

  3. You have to set it up for the interfaces, so I did.
    But when I said "I've allocated" I meant "VPN users use a range of -".

    Thank you.
    True, it doesn't "push" routes. I can add them manually and it works fine, but I'm trying to avoid this.
    Not all the users know much about computers and VPNs, and I want to make their life (and mine) easier.
    WIndows adds a route to (so /8), which makes it work.
    Mac adds a route to (so /24), which makes inaccessible via VPN.

    My best option was to route all the traffic via VPN on Mac. In this case a default route is created and routed via the VPN.
    This of course isn't ideal...

    But Apple Server was able to "push" some setting, that created either two routes (to and to or extended the subnet allocated by the system from /24, to something wider.

    The only thing that comes to my mind is "pushing" two router IPs to the client (so and Then the system would probably create two routes.
    But I am not sure whether this is possible by design?
    The client gets local and remote IPs for the tunnel, and probably the gateway. But can client get two gateways? What other settings can be sent over IPCP?

    Thanks a lot,
    Marcin £ukasik, Jan 24, 2012
  4. Marcin £ukasik

    Moe Trin Guest

    On Mon, 23 Jan 2012, in the Usenet newsgroup comp.os.linux.networking, in
    1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and
    Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan.
    September 1993. (Format: TXT=59998 bytes) (Obsoletes RFC1338)
    (Obsoleted by RFC4632) (Status: PROPOSED STANDARD)

    Hey, it only happened 18 1/2 years ago (even the replacement RFC4632
    is 5 1/2 years old) - windoze has got to be backward compatible!
    Correct - neither RFC2661 (Layer Two Tunneling Protocol "L2TP") or
    RFC1332 (The PPP Internet Protocol Control Protocol) discuss routes.
    These are controlled "higher" in the stack.

    Old guy
    Moe Trin, Jan 24, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.