On Fri, 28 Feb 2014 19:42:26 -0800 "Paul B. Henson" <hen...@acm.org> wrote: > On Sat, Mar 01, 2014 at 11:23:01AM +0900, YASUOKA Masahiko wrote: >> I'm not sure whether it works. Can you try it by static route? > > A static route on the network on the other side of the openbsd box? I'm > sure that would work; when I try to ping a box out in the network from > the vpn client, I can see the outbound pings traversing the link from > the openbsd box to the router on the other side: > > 19:24:43.669307 10.128.120.163 > 10.128.130.1: icmp: echo request > 19:24:44.646823 10.128.120.163 > 10.128.130.1: icmp: echo request > 19:24:45.644309 10.128.120.163 > 10.128.130.1: icmp: echo request > 19:24:46.666878 10.128.120.163 > 10.128.130.1: icmp: echo request > > The return packets are getting dropped due to the lack of a route, so if > I had a static route on the other side it would work, but I'd rather not > use static routes, ideally I can make ospfd dynamically advertise routes > as necessary.
Sorry I thought you were trying to add additional routes though the PPP client. Now I understand what you are trying. >> Also, if there is a network behind the vpn, you can assign a static ip >> address and netmask instead of assigning /32 dynamic address. See >> npppd-users(5) and use framed-ip-address and framed-ip-netmask. > > I'd prefer not to assign a static IP per user, I like the concept of > just having a dynamic pool and users just get whatever address out of > it. I'm not sure how the netmask would work for a point-to-point link? > How could it be anything but a /32? Or would the netmask be for the route > on the other side? Right now it looks like the client is setting a > route to 10.0.0.0/8 across the tunnel, that should actually be > 10.128.0.0/16, would setting the netmask in npppd-users fix that remote > route? Can I set the netmask but still let the client get a dynamic IP? My answer was wrong. Assigning statically or netmask to the client is not related the ospf problem, I'm sorry. >> many /32 routes show something wrong. > > Why? npppd set a /32 route for a VPN client and delete it when the link down. > Isn't each instance of pppx for the VPN a /32 route to the remote > IP? You had 16 /32 routes. Don't you mean you had 32 VPN clients actually, right? Sorry, I'm not good at ospfd, so I could not anwer other questions soon. --yasuoka
