ospfd, npppd, and L2TP VPN routes

Tue, 04 Mar 2014 13:42:44 -0800 

I recently set up npppd on a 5.4 system to provide l2tp VPN service. This
system is the border router, and also runs ospfd to communicate routes to
the internal network, some subnets of which use vlans on the OpenBSD system
itself to avail of pf, while others are routed on a layer 3 Cisco switch.

I had hoped that when VPN clients connected, ospfd would push the /32 route,
but it doesn't. I'm not sure if that's because it's not supposed to, there
is a problem with my configuration, or there's a bug somewhere. For now,
I've added a static route, but ideally I would prefer to dynamically push
the route generated when a client connects.

The VPN setup is fairly basic:

# cat /etc/ipsec.conf 
ike passive esp transport \
        proto udp from 96.251.22.154 to any port 1701 \
        psk "sekretkeyhere"


# cat /etc/npppd/npppd.conf 
authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}

tunnel L2TP_ipv4 protocol l2tp {
        listen on 96.251.22.154
}

ipcp IPCP {
        pool-address "10.128.120.0/24"
        dns-servers 10.128.0.4
        allow-user-selected-address no
}

interface pppx0 address 10.128.120.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0


As is the ospfd config:

# cat /etc/ospfd.conf 
router-id 10.128.0.4
redistribute default
redistribute connected

# areas
area 0.0.0.0 {

        interface lo1:10.128.0.4 { passive }

        interface em0 {
                auth-type crypt
                auth-md 1 "xxxxxxxxxxxx"
                auth-md-keyid 1
        }
}


When a VPN client connects, ospfd does seem to see the route that was added:

# ospfctl show fib | grep 120
          4 10.128.120.109/32    10.128.120.1

However, it is not marked valid, and it's not communicated to the other
routers.

Also, when the client disconnects, it does not go away. If I disconnect, and
reconnect getting a different IP, ospfd now shows two routes:

# ospfctl show fib | grep 120
          4 10.128.120.109/32    10.128.120.1
          4 10.128.120.155/32    10.128.120.1

Yasuoka Masahiko said it looked like ospfd has an issue with pppx
interfaces:

http://article.gmane.org/gmane.os.openbsd.misc/211010

Using tun instead of pppx does remove the dangling route issue, ospfd only
shows the /32 route when the client is connected, and it goes away when they
disconnect. However, even with tun, the /32 route is not propagated.

So while it does seem there might be some bug involving ospfd and pppx, that
doesn't seem related to the route not being propagated. Is there any way to
get ospfd to dynamically propagate the /32 routes as clients come and go, or
is the only solution to maintain a static route?

Thanks much.

Reply via email to