On Thu, Oct 6, 2016 at 5:37 PM, <curiousemeric at rotacioskapa.com> wrote: > Hi, > We at the university (which cannot be named) would like to deploy a new vpn > solution next to our existing one. > I know this sounds crazy, but all of our users have real globally route-able > ipv4 vpn addresses. > This is for historical and licensing reasons. > > The current l2tp/ipsec vpn uses /32 routes and addresses which it receives > from a radius server. > Now as far as i know the tun/tap device can at minimum use /30 routes. (for > windows compability). > What I would like to ask; Is there a way for the "up" and "down" script to > get the framed-ip-address sent by radius? I assume that you are talking how to use ocserv in that setup, right? The radius variables are not passed directly to the up/down script. However, the ocserv translated ones such as IP_REMOTE should contain the actual value. > My plan is to add the /32 route to the loopback interface so the running > dynamic routing daemon can pick it up, > ip route add $FRAMEDIP/255.255.255.255 dev lo > Then do something like this > iptables -t nat -I POSTROUTING -s $IP_REMOTE -j SNAT --to $FRAMEDIP I see now that you distinguish between IP_REMOTE and FRAMEDIP, why is that? ocserv should have assigned the framedip received from radius as the remote IP. regards, Nikos
