VPN, L2TP, and problems with netmasks...

Discussion in 'Linux Networking' started by Marcin £ukasik, Jan 23, 2012.

  1. Hello,

    Not exactly a Linux networking question, but please forgive me (but I'm pretty sure the firewall runs Linux).

    I've set up a L2TP VPN on SonicWall NSA240 firewall.
    It works. But it doesn't when I split the network in two subnets. 10.9.8.0/24 is my office, 10.9.9.0/24 is allocated for VPN users.
    The problem occurs while accessing 10.9.8.0 over VPN.
    It works on Windows, since Windows adds 10.0.0.0/8 route via VPN ("class-based route addition"). So when I say ping 10.9.8.x it works fine, since the packet goes over the VPN.
    But on Mac this doesn't work, since Mac assumes a netmask of 255.255.255.0, therefore packet destined for 10.9.8.x goes via my default gateway, not VPN, and never reaches the host.

    I found out that the only settings you can get over VPN are remote/local IPs of the tunnel and router's IP address.

    My questions are:
    1) What protocol is used to assign these IP settings to the client?
    2) How the heck did this work in the past on an Apple server? We had two subnets too...

    Thanks a lot in advance!
    Martin
     
    Marcin £ukasik, Jan 23, 2012
    #1
    1. Advertisements

  2. Hello,

    Marcin Lukasik a écrit :
    This is so wrong, even it does what you need.
    Classes are deprecated.
    As L2TP usually transports PPP sessions, I guess it is IPCP, the
    protocol used by PPP to negotiate IP parameters such as the remote and
    local addresses is IPCP. AFAIK, it does not allow to "push" routes like
    OpenVPN does. So you need to add the route by other means when the
    tunnel is up. Any decent PPP software should be able to do it.
     
    Pascal Hambourg, Jan 23, 2012
    #2
    1. Advertisements

  3. You have to set it up for the interfaces, so I did.
    But when I said "I've allocated 10.9.9.0/24" I meant "VPN users use a range of 10.9.9.1 - 10.9.9.254".

    Thank you.
    True, it doesn't "push" routes. I can add them manually and it works fine, but I'm trying to avoid this.
    Not all the users know much about computers and VPNs, and I want to make their life (and mine) easier.
    WIndows adds a route to 10.0.0.0 (so /8), which makes it work.
    Mac adds a route to 10.9.9.0 (so /24), which makes 10.9.8.0 inaccessible via VPN.

    My best option was to route all the traffic via VPN on Mac. In this case a default route is created and routed via the VPN.
    This of course isn't ideal...

    But Apple Server was able to "push" some setting, that created either two routes (to 10.9.8.0 and to 10.9.9.0) or extended the subnet allocated by the system from /24, to something wider.

    The only thing that comes to my mind is "pushing" two router IPs to the client (so 10.9.8.254 and 10.9.9.254). Then the system would probably create two routes.
    But I am not sure whether this is possible by design?
    The client gets local and remote IPs for the tunnel, and probably the gateway. But can client get two gateways? What other settings can be sent over IPCP?

    Thanks a lot,
    Marcin
     
    Marcin £ukasik, Jan 24, 2012
    #3
  4. Marcin £ukasik

    Moe Trin Guest

    On Mon, 23 Jan 2012, in the Usenet newsgroup comp.os.linux.networking, in
    1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and
    Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan.
    September 1993. (Format: TXT=59998 bytes) (Obsoletes RFC1338)
    (Obsoleted by RFC4632) (Status: PROPOSED STANDARD)

    Hey, it only happened 18 1/2 years ago (even the replacement RFC4632
    is 5 1/2 years old) - windoze has got to be backward compatible!
    Correct - neither RFC2661 (Layer Two Tunneling Protocol "L2TP") or
    RFC1332 (The PPP Internet Protocol Control Protocol) discuss routes.
    These are controlled "higher" in the stack.

    Old guy
     
    Moe Trin, Jan 24, 2012
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.