How to send multiples routes to L2TP client

tomasi · January 16, 2021, 1:23pm

Hi,

I’m trying to send multiples routes (10.0.0.0/8 network and 172.16.0.0/12 network) to my L2TP client (Windows 7), but I’m only getting the 10.0.0.0/8 network being installed in Windows routing table

> ppp secret print detail 
Flags: X - disabled 
 0   name="tomasi" service=l2tp caller-id="" password="Pa$$worD" profile=default local-address=10.19.19.1 remote-address=10.19.19.2 \
     routes="10.0.0.0/8 172.16.0.0/12" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/16/2021 09:55:33

On client side (Windows 7) the 10.0.0.0/8 network is being automagically installed in route table.
Default route is not being installed (great, my aim is to send only specific traffic inside the L2TP tunnel)

C:\Windows\system32>route print

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway        Interface  Metric
          0.0.0.0          0.0.0.0   192.168.25.254   192.168.25.192      25
         10.0.0.0        255.0.0.0       10.19.19.1       10.19.19.2      26
       10.19.19.2  255.255.255.255          On-link       10.19.19.2     281

Is there a way to install multiple routes (10.0.0.0/8 + 172.16.0.0/12) via L2TP?

Thanks!

sindy · January 16, 2021, 2:09pm

There is, but not on Mikrotik. The Windows embedded VPN client sends a DHCPINFORM message through the L3 tunnel, and expects a response carrying Option249, which is a routing table.

Mikrotik does support this mechanism for IKEv2, but not for L2TP. To use IKEv2 as a responder at Mikrotik and as a mode of the embedded VPN client on Windows, you currently have to use a machine certificate (not a user one) on the Windows.

You can configure “persistent” routes (using -p parameter when adding them) on Windows, with gateway address 0.0.0.0 and interface set to the VPN virtual one, which become active only when the interface is up.

16again · January 17, 2021, 12:09pm

Try powershell:
Add-VpnConnectionRoute -ConnectionName “MyVPN” -DestinationPrefix “10.0.0.0/8”
Add-VpnConnectionRoute -ConnectionName “MyVPN” -DestinationPrefix “172.16.0.0/12”

tomasi · January 19, 2021, 7:40pm

I tried several formats of route field, but none worked

The way I found was the old (but gold) bat script:

echo

# show interfaces index, L2TP is index 54
netsh interface ipv4 show interfaces

# delete old static routes
route delete 10.0.0.0 mask 255.0.0.0
route delete 172.16.0.0 mask 255.240.0.0

# add new static routes
route add 10.0.0.0 mask 255.0.0.0 10.195.195.1 metric 1 IF 54
route add 172.16.0.0 mask 255.240.0.0 10.195.195.1 metric 1 IF 54

pause

This way only packets destinated to 10.0.0.0/8 and 172.16.0.0/12 networks were forwarded to the L2TP tunnel

Thank you all!

EDIT:

As VPN Connection dinamically changes the index, BAT script stopped working

I moved the script to netsh commands:

route delete 10.0.0.0 mask 255.0.0.0
route delete 172.16.0.0 mask 255.240.0.0

netsh int ipv4 add route 10.0.0.0/8 "VPN Connection" 10.195.195.1 store=persistent
netsh int ipv4 add route 172.16.0.0/12 "VPN Connection" 10.195.195.1 store=persistent

This way, netsh will find the index related to “VPN Connection” interface