Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

VPN, L2TP, and problems with netmasks...

11 views
Skip to first unread message

Marcin Łukasik

unread,
Jan 23, 2012, 7:54:23 AM1/23/12
to
Hello,

Not exactly a Linux networking question, but please forgive me (but I'm pretty sure the firewall runs Linux).

I've set up a L2TP VPN on SonicWall NSA240 firewall.
It works. But it doesn't when I split the network in two subnets. 10.9.8.0/24 is my office, 10.9.9.0/24 is allocated for VPN users.
The problem occurs while accessing 10.9.8.0 over VPN.
It works on Windows, since Windows adds 10.0.0.0/8 route via VPN ("class-based route addition"). So when I say ping 10.9.8.x it works fine, since the packet goes over the VPN.
But on Mac this doesn't work, since Mac assumes a netmask of 255.255.255.0, therefore packet destined for 10.9.8.x goes via my default gateway, not VPN, and never reaches the host.

I found out that the only settings you can get over VPN are remote/local IPs of the tunnel and router's IP address.

My questions are:
1) What protocol is used to assign these IP settings to the client?
2) How the heck did this work in the past on an Apple server? We had two subnets too...

Thanks a lot in advance!
Martin

Pascal Hambourg

unread,
Jan 23, 2012, 3:17:12 PM1/23/12
to
Hello,

Marcin Lukasik a écrit :
>
> I've set up a L2TP VPN on SonicWall NSA240 firewall.
> It works. But it doesn't when I split the network in two subnets.
> 10.9.8.0/24 is my office, 10.9.9.0/24 is allocated for VPN users.
> The problem occurs while accessing 10.9.8.0 over VPN.
> It works on Windows, since Windows adds 10.0.0.0/8 route via VPN
> ("class-based route addition"). So when I say ping 10.9.8.x it works
> fine, since the packet goes over the VPN.

This is so wrong, even it does what you need.
Classes are deprecated.

> But on Mac this doesn't work, since Mac assumes a netmask of
> 255.255.255.0, therefore packet destined for 10.9.8.x goes via my
> default gateway, not VPN, and never reaches the host.
>
> I found out that the only settings you can get over VPN are
> remote/local IPs of the tunnel and router's IP address.
>
> My questions are:
> 1) What protocol is used to assign these IP settings to the client?

As L2TP usually transports PPP sessions, I guess it is IPCP, the
protocol used by PPP to negotiate IP parameters such as the remote and
local addresses is IPCP. AFAIK, it does not allow to "push" routes like
OpenVPN does. So you need to add the route by other means when the
tunnel is up. Any decent PPP software should be able to do it.

Marcin Łukasik

unread,
Jan 24, 2012, 6:51:42 AM1/24/12
to pasca...@plouf.fr.eu.org
On Monday, January 23, 2012 8:17:12 PM UTC, Pascal Hambourg wrote:

> This is so wrong, even it does what you need.
> Classes are deprecated.

You have to set it up for the interfaces, so I did.
But when I said "I've allocated 10.9.9.0/24" I meant "VPN users use a range of 10.9.9.1 - 10.9.9.254".


> As L2TP usually transports PPP sessions, I guess it is IPCP, the
> protocol used by PPP to negotiate IP parameters such as the remote and
> local addresses is IPCP. AFAIK, it does not allow to "push" routes like
> OpenVPN does. So you need to add the route by other means when the
> tunnel is up. Any decent PPP software should be able to do it.

Thank you.
True, it doesn't "push" routes. I can add them manually and it works fine, but I'm trying to avoid this.
Not all the users know much about computers and VPNs, and I want to make their life (and mine) easier.
WIndows adds a route to 10.0.0.0 (so /8), which makes it work.
Mac adds a route to 10.9.9.0 (so /24), which makes 10.9.8.0 inaccessible via VPN.

My best option was to route all the traffic via VPN on Mac. In this case a default route is created and routed via the VPN.
This of course isn't ideal...

But Apple Server was able to "push" some setting, that created either two routes (to 10.9.8.0 and to 10.9.9.0) or extended the subnet allocated by the system from /24, to something wider.

The only thing that comes to my mind is "pushing" two router IPs to the client (so 10.9.8.254 and 10.9.9.254). Then the system would probably create two routes.
But I am not sure whether this is possible by design?
The client gets local and remote IPs for the tunnel, and probably the gateway. But can client get two gateways? What other settings can be sent over IPCP?

Thanks a lot,
Marcin

Moe Trin

unread,
Jan 24, 2012, 3:02:35 PM1/24/12
to
On Mon, 23 Jan 2012, in the Usenet newsgroup comp.os.linux.networking, in
article <jfkf89$2fft$1...@saria.nerim.net>, Pascal Hambourg wrote:

>Marcin Lukasik a écrit :

>> It works on Windows, since Windows adds 10.0.0.0/8 route via VPN
>> ("class-based route addition").

>This is so wrong, even it does what you need.
>Classes are deprecated.

1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and
Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan.
September 1993. (Format: TXT=59998 bytes) (Obsoletes RFC1338)
(Obsoleted by RFC4632) (Status: PROPOSED STANDARD)

Hey, it only happened 18 1/2 years ago (even the replacement RFC4632
is 5 1/2 years old) - windoze has got to be backward compatible!

>As L2TP usually transports PPP sessions, I guess it is IPCP, the
>protocol used by PPP to negotiate IP parameters such as the remote
>and local addresses is IPCP. AFAIK, it does not allow to "push"
>routes like OpenVPN does.

Correct - neither RFC2661 (Layer Two Tunneling Protocol "L2TP") or
RFC1332 (The PPP Internet Protocol Control Protocol) discuss routes.
These are controlled "higher" in the stack.

Old guy
0 new messages