L2TP Over IPSEC VPN - Split Tunneling
Anthoshell
Posts: 13 Freshman Member
Hello
I'm having issue trying to exclude internet traffic from our VPN L2TP client / Server tunnel
-> Server is an USG 210
-> Client is Windows client
Can someone explain how to do that? Is there a routing rule to set to do that ?
I really need to keep the internet traffic out of the L2TP tunnel ... as our bandwidth is a 10 mb
THanks for your help
I'm having issue trying to exclude internet traffic from our VPN L2TP client / Server tunnel
-> Server is an USG 210
-> Client is Windows client
Can someone explain how to do that? Is there a routing rule to set to do that ?
I really need to keep the internet traffic out of the L2TP tunnel ... as our bandwidth is a 10 mb
THanks for your help
0
Accepted Solution
-
Hello Anthoshell,
On windows PC, we need to uncheck Use default gateway on remote network, and add routing on CMD. Please follow below steps.You can implement the split tunnel configuration by following the steps below.
1. Go to Start > Control Panel > Network and Sharing > Change Adapter Settings.
2. Right click the VPN Connection Adapter and click Properties from the pop-up to view the VPN Connection Properties Window.
3. Switch to Networking Tab, select Internet Protocol Version 4 (TCP/IPv4) and click Properties to view the Properties window.
4. In the Internet Protocol Version 4 (TCP/IPv4) properties window, click Advanced.
5. In the Advanced TCP/IP Settings window under IP Settings tab, uncheck Use default gateway on remote network.
After that please add the routing on CMD on PC
Here is example, "route add 192.168.1.0 mask 255.255.255.0 192.168.100.33"
"route add (local policy) mask (subnet of local policy) (the IP address you get after VPN established)"
the"192.168.1.0" is local policy ,and "mask 255.255.255.0" is local policy subnet. "192.168.100.33" is the IP address you get after VPN established.
Charlie5
All Replies
-
Hello Anthoshell,
The Windows device doesnot support Split Tunneling in the L2TP scenario.(IOS device can do that)
However, for windows device, client can do split tunneling via IKEv2.
Here is an example for IKEv2 as your reference.
Link:
https://drive.google.com/file/d/1HHdkh4m1GNMJoFpnUb4StPobIxPflOoO/view?usp=sharing
Charlie1 -
Hello Charlie,
And thanks for your message, well, will try that
0 -
Zyxel_Charlie said:Hello Anthoshell,
The Windows device doesnot support Split Tunneling in the L2TP scenario.(IOS device can do that)
However, for windows device, client can do split tunneling via IKEv2.
Here is an example for IKEv2 as your reference.
Link:
https://drive.google.com/file/d/1HHdkh4m1GNMJoFpnUb4StPobIxPflOoO/view?usp=sharing
Charlie
Is there a firewall rule to apply or something ?
I followed exactly the schema you attached in your first message
Thanks again for your help0 -
Hello Anthoshell,
I assume you did the wrong way to import Cert, because I tested it locally, and it's working.
Here is an details of Import cert to PC as your reference.
Link: https://drive.google.com/file/d/1atyfeDbtdmOc7aNnVzFII165zckCdYUo/view?usp=sharing
Also, please make sure the "IKE and AuthIP IPsec Keying Modules" already startedPlease choose “System and Security”.
Choose “Administrator Tools”.
Choose “Component Services”.
Make sure the status of “IKE and AuthIP IPs..” is started.
Charlie
0 -
Is there any routing rule to add in the USG ?
0 -
@Anthoshell
I remember you have to create a static route from your L2TP-VPN Network to any and the next hop is your configured "WAN TRUNK".
The VPN-IP Range is not an existing IP Segment on your USG, so you had to configure a static route to be able to get connected to the internet trough your WAN-TRUNK. All other networks (internal) are routable automaticaly.
Have fun
Christian
0 -
Hi @ChristianG and thanks
It's not an L2TP but an IPSEC IKEV2 i created the route just for testing ... had the same issue, local ressources are reachable but still no internet. .. and i need the internet traffic to not go accross the tunnel that's the reason why i can't use L2TP
0 -
Zyxel_Charlie said:Hello Anthoshell,
I assume you did the wrong way to import Cert, because I tested it locally, and it's working.
Here is an details of Import cert to PC as your reference.
Link: https://drive.google.com/file/d/1atyfeDbtdmOc7aNnVzFII165zckCdYUo/view?usp=sharing
Also, please make sure the "IKE and AuthIP IPsec Keying Modules" already startedPlease choose “System and Security”.
Choose “Administrator Tools”.
Choose “Component Services”.
Make sure the status of “IKE and AuthIP IPs..” is started.
Charlie
Is there any routing rule to add in the USG ?
0 -
@Anthoshell
in a split mode, i remember on a Checkpoint, i have to checkup the central configuration for the VPN Clients. There must be the local networks defined, they are accessable trough the VPN and a wildcard for internet access directly trough the users ISP.
Good luck!
Christian
0 -
Hello guys ... @ChristianG @Zyxel_Charlie
I tried to modify some specification on the VPN Client ... playing with routing rules ... nothing to do can access to local ressource but no internet.
Can someone else help ? ^^0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight