Routing problem with changing Gateway address

[OlliC]

Hi,

i have a small problem with my IPsec/L2TP connection to a Microsoft vpn server. This is not really a bug report but maybe someone can help with this.

So i want the vpn connection to only add a route to the remote network and not to route all traffic through it. So i checked the checkbox on the IPv4 tab which says "Use this connection only for ressources in their network" (freely translated from German ;-)). But it does not add the route automatically even when automatic slider is set to on and i have to manually add the route in the boxes below.

The problem is now the remote gateway address can change on every connect. It worked for a while but then the connection kept failing because of the wrong remote gateway address.

So is there a way to make it use the remote gateway that gets negotiated by pppd?

[dkosovic]

Have a look at the following :

• https://wiki.strongswan.org/issues/898#note-1

Are the Windows clients using the simple IP address class-based approach or the DHCP option 249 approach ? I don't think Linux VPN clients add a route like the simple IP address class-based route approach Windows clients automatically add for split network VPN.

I'm not sure about the automatic slider you are referring to, perhaps you meant the "Automatic (VPN) Addresses Only" tick box, which unintuitavely corresponds to NetworkManager's ignore-auto-dns setting. NetworkManager-l2tp queries the value of ignore-auto-dns and then either includes or doesn't include pppd's usepeerdns flag in one of the config files that gets generated, see commit# https://github.com/nm-l2tp/network-manager-l2tp/commit/7328971a08d897641661e6d2539bc44351909a1d .

[OlliC]

I am not sure how the windows clients handle this as i only use the vpn connection on linux.
Regarding the automatic slider i am referring to IPv4 tab in the vpn connection settings. There is a slider for DNS on/off and Routes on/off. I do not see a "Automatic (VPN) Addresses Only" tickbox anywhere. The checkbox on the bottom is labeled "Use this connection only for ressources on its network" correctly in english. If i do not check this the default route is added and everything goes through the vpn.

In the logs i see this:

Feb 07 13:03:59 viki pppd[2449]: local  IP address 192.168.0.107
Feb 07 13:03:59 viki pppd[2449]: remote IP address 192.168.0.112

In this case 192.168.0.112 would be the gateway i would have to add with 192.168.0.0 as the network address and 255.255.255.0 as the netmask.

[dkosovic]

From the log and what you wrote, sounds like the Windows clients connecting to that VPN server would just be using simple class based routing.

As it is a point to point connection, you don't need to route the split network packets to the VPN gateway, routing to the VPN interface which is usually ppp0 should suffice. On the command-line it would be something like :

ip route add 192.168.0.0/24 dev ppp0

I'm writing this on a mac so not sure what the NetworkManager GUI equivalent would be.

[OlliC]

Yes with this command its working even without a gateway. Unfortunately the GUI does not seem to let you enter a route without a gateway address.

[dkosovic]

You could probably create a /etc/ppp/ip-up.d/01-routes.sh script something like the following :

#!/bin/bash

# This script is called with the following arguments:
# Arg Name
# $1 Interface name
# $2 The tty
# $3 The link speed
# $4 Local IP address for the interface
# $5 Peer IP address
# $6 Optional 'ipparam' parameter specified to pppd

case "$5" in
    192.168.0.*)
        ip route add 192.168.0.0/24 dev $1
    ;;
esac

[OlliC]

Working great. Thanks!