Framed-Route did not passed to l2tp client

binooetomo · May 17, 2025, 5:46am

I setup 2 Mikrotik CHR on VirtualBox
One for l2tp vpn server, and the other as a client.

I use external radius server for vpn AAA.

Here is a log from l2tp server instance
[admin@mtik-bino-01V6] /log> print

...
04:46:59 radius,debug,packet received Access-Accept with id 107 from 192.168.56.1:1812 
04:46:59 radius,debug,packet     Signature = 0xbe1eda73f930b0123b846552a9a5722a 
04:46:59 radius,debug,packet     Message-Authenticator = 0x7c9e226d5cf763d098749b04dc2f8d5d 
04:46:59 radius,debug,packet     Reply-Message = "OK" 
04:46:59 radius,debug,packet     Framed-IP-Address = 10.10.4.2 
04:46:59 radius,debug,packet     Framed-Route = "10.1.1.1/32" 
04:46:59 radius,debug,packet     Acct-Interim-Interval = 3600 
04:46:59 radius,debug,packet     MS-CHAP2-Success = 0x01533d34414436353245384446384446 
04:46:59 radius,debug,packet       37453838363933324537433036453334 
04:46:59 radius,debug,packet       3237413745383530323738 
04:46:59 radius,debug,packet     MS-MPPE-Recv-Key = 0xc1a6944b2b7a445f2b963c470f395b6f 
04:46:59 radius,debug,packet       a029fe44bb12533111e0c3c7db6928b2 
04:46:59 radius,debug,packet       0a74 
04:46:59 radius,debug,packet     MS-MPPE-Send-Key = 0xc9500470657fdc292fec0c73009ab298 
04:46:59 radius,debug,packet       8bf677ed81256fdcc0ec57d7bc544069 
04:46:59 radius,debug,packet       ab03 
04:46:59 radius,debug,packet     MS-MPPE-Encryption-Policy = 1 
04:46:59 radius,debug,packet     MS-MPPE-Encryption-Type = 6 
04:46:59 radius,debug received reply for 1b:22 
...

notes that my radius server told ‘Framed-Route = “10.1.1.1/32”’.
I hope with that line, the l2tp client will take it’s vpn interface a route to “10.1.1.1/32”.

here is from l2tp client side routing table:

[admin@mtik-bino-02] > ip ro print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.0.2.1                  1
 1 ADC  10.0.2.0/24        10.0.2.11       ether1                    0
 2 ADC  10.10.4.254/32     10.10.4.2       l2tp-out1                 0
 3 ADC  192.168.56.0/24    192.168.56.104  ether2                    0
 4 ADS  192.168.56.5/32                    ether2                    0

looks like a static route to 10.1.1.1/32 didn’t added.

and here is a routing table in l2tp server side whenever a client connected

[admin@mtik-bino-01V6] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  10.1.1.0/24        10.1.1.111      ether2                    0
 1 ADS  10.1.1.1/32                        <l2tp-client2>            1
 2 ADC  10.10.4.2/32       10.10.4.254     <l2tp-client2>            0
 3 ADC  192.168.56.0/24    192.168.56.5    ether1                    0
[admin@mtik-bino-01V6] >

Looks like that ‘static route’ is injected to server’s routing table rather then to client’s routing table

Please tell me or give me a clue to fix this problem

tdw · May 17, 2025, 10:45am

That is working as intended - Framed-Route attributes are applied to the server, there is no mechanism in PPP-based tunnels such as L2TP for routes to be pushed to the client.

Windows clients can use DHCP once an L2TP connection is established to retrieve additional routes, the client sends a DHCPINFORM request and the RRAS server replies with the routes. This isn’t possible with a Mikrotik server as you can’t attach a DHCP server to an L2TP interface.

You can attach persistent static routes to VPN connections in Windows using PowerShell as an alternative.