IPsec L2TP VPN client side routing incorrect

btong · May 1, 2020, 9:06am

Hi,

We have a configuration where L2TP IPsec is being used to allow PPP VPN connections into the office LAN. The LAN subnet is 192.168.172.0/23.

Config is as follows:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,aes-128-ctr,3des,blowfish pfs-group=none
add enc-algorithms=aes-256-cbc,3des name=L2TP-Proposal pfs-group=none
/ip pool
add name=vpn-client-pool ranges=192.168.172.224/29
/interface l2tp-server server
set default-profile=geo-proxy-nat enabled=yes ipsec-secret="LLLLLLLLLLLLLLLLL" keepalive-timeout=60 max-mru=1400 max-mtu=1400 use-ipsec=yes
/ip address
add address=X.X.X.X/29 comment="WAN" interface=sfp1-wan network=X.X.X.X
add address=192.168.172.200/23 comment="LAN" interface=ether1-lan network=192.168.172.0
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for 192.168.172.172/23" out-interface=sfp1-wan src-address=192.168.172.0/23
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ppp profile
add change-tcp-mss=yes comment="NAT Routing Proxy for VPN Clients" local-address=X.X.X.X name=geo-proxy-nat remote-address=vpn-client-pool
/ppp secret
add name=user1 password=aaabbbbbbbbbbbbbbbbbbb

We have a problem with Mac clients using the built-in OSX L2TP VPN client. They are able to connect fine, but we see that they only appear to have a route to 192.168.172.0/24 so cannot access devices on the second half of the /23. I have tried adding a static route on the client for 192.168.173.0/24 via the PPP connection which appears to force this traffic down the tunnel, but I can’t understand why this is necessary.

I would appreciate any help with understanding this problem. Thanks in advance.

sindy · May 1, 2020, 11:21am

I would assume the Mac client uses the same method like the Windows one, i.e. it adds a route based on the class of the address assigned by the server. So since the 192.168.0.0/16 range is 256 Class C (/24) subnets, it automatically adds a route to the matching /24, but anything else must be added manually. The IPCP protocol itself doesn’t tell the client anything about the subnet size, it assigns just a single address and that’s it.

btong · May 1, 2020, 11:52am

Thanks, the weird thing is that I have already tried assigning a manual IP with the correct /23 subnet but it still only adds a /24 route into the table.

It’s almost looking like a bug in the VPN client code but since it’s pre-rolled with the OS that seems unlikely. Am stumped in short.

sindy · May 1, 2020, 12:12pm

You cannot add any other address than /32 to an end of an L3 (IP) point-to-point tunnel. If you can, it is a bug.

Despite the fact that the protocol is called L2TP, the embedded clients of Windows, MAC and Android only use L3 tunneling (using IPCP); L2TP as such, like any other derivative of PPP, supports also L2 tunneling using BCP, but the only device I know to be able to use it is Mikrotik itself.

It’s not a bug, it’s a feature inherited from the times when CIDR masks (free prefix size choice independent of the prefix value) were still to be introduced. You can try to assign 172.19.x.y to the client, it’ll likely get a route to 172.19.0.0/16.