L2TP Over IPSEC VPN - Split Tunneling

Anthoshell
Anthoshell Posts: 13  Freshman Member
First Comment Friend Collector Second Anniversary
edited April 2021 in Security
Hello :) 

I'm having issue trying to exclude internet traffic from our VPN L2TP client / Server tunnel 

-> Server is an USG 210 
-> Client is Windows client 


Can someone explain how to do that? Is there a routing rule to set to do that ? 

I really need to keep the internet traffic out of the L2TP tunnel ... as our bandwidth is a 10 mb 

THanks for your help 

Accepted Solution

«1

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello Anthoshell,
    The Windows device doesnot support Split Tunneling in the L2TP scenario.(IOS device can do that)
    However, for windows device, client can do split tunneling  via IKEv2.
    Here is an example for IKEv2 as your reference.
    Link:
    https://drive.google.com/file/d/1HHdkh4m1GNMJoFpnUb4StPobIxPflOoO/view?usp=sharing
    Charlie
  • Anthoshell
    Anthoshell Posts: 13  Freshman Member
    First Comment Friend Collector Second Anniversary
    Hello Charlie, 

    And thanks for your message, well, will try that :) 
  • Anthoshell
    Anthoshell Posts: 13  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited November 2017
    Hello Anthoshell,
    The Windows device doesnot support Split Tunneling in the L2TP scenario.(IOS device can do that)
    However, for windows device, client can do split tunneling  via IKEv2.
    Here is an example for IKEv2 as your reference.
    Link:
    https://drive.google.com/file/d/1HHdkh4m1GNMJoFpnUb4StPobIxPflOoO/view?usp=sharing
    Charlie
    Now  the client (windows) says the connection between your laptop and the server can not be establish ...

    Is there a firewall rule to apply or something ? 

    I followed exactly the schema you attached in your first message

    Thanks again for your help
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello Anthoshell,
    I assume you did the wrong way to import Cert, because I tested it locally, and it's working.
    Here is an details of Import cert to PC as your reference.
    Link: https://drive.google.com/file/d/1atyfeDbtdmOc7aNnVzFII165zckCdYUo/view?usp=sharing
    Also, please make sure the "IKE and AuthIP IPsec Keying Modules" already started

    Please choose “System and Security”.

     

     Choose “Administrator Tools”.

     

    Choose “Component Services”.

     

    Make sure the status of “IKE and AuthIP IPs..” is started.

    Charlie


  • Anthoshell
    Anthoshell Posts: 13  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited November 2017

    Is there any routing rule to add in the USG ? 

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    @Anthoshell
    I remember you have to create a static route from your L2TP-VPN Network to any and the next hop is your configured "WAN TRUNK".
    The VPN-IP Range is not an existing IP Segment on your USG, so you had to configure a static route to be able to get connected to the internet trough your WAN-TRUNK. All other networks (internal) are routable automaticaly.

    Have fun
    Christian
  • Anthoshell
    Anthoshell Posts: 13  Freshman Member
    First Comment Friend Collector Second Anniversary
    Hi @ChristianG and thanks

    It's not an L2TP but an IPSEC IKEV2  i created the route just for testing ... had the same issue, local ressources are reachable but still no internet. .. and i need the internet traffic to not go accross the tunnel that's the reason why i can't use L2TP

    :(


  • Anthoshell
    Anthoshell Posts: 13  Freshman Member
    First Comment Friend Collector Second Anniversary
    Hello Anthoshell,
    I assume you did the wrong way to import Cert, because I tested it locally, and it's working.
    Here is an details of Import cert to PC as your reference.
    Link: https://drive.google.com/file/d/1atyfeDbtdmOc7aNnVzFII165zckCdYUo/view?usp=sharing
    Also, please make sure the "IKE and AuthIP IPsec Keying Modules" already started

    Please choose “System and Security”.

     

     Choose “Administrator Tools”.

     

    Choose “Component Services”.

     

    Make sure the status of “IKE and AuthIP IPs..” is started.

    Charlie


    Hell@Zyxel_Charlie Charlie, Thanks again  !  The VPN is now connected ... and I can access to local resources but not internet ... 
    Is there any routing rule to add in the USG ? 
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    @Anthoshell
    in a split mode, i remember on a Checkpoint, i have to checkup the central configuration for the VPN Clients. There must be the local networks defined, they are accessable trough the VPN and a wildcard for internet access directly trough the users ISP.

    Good luck!
    Christian
  • Anthoshell
    Anthoshell Posts: 13  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited November 2017
    Hello guys ...  @ChristianG @Zyxel_Charlie

    I tried to modify some specification on  the VPN Client ... playing with routing rules ... nothing to do can access to local ressource but no internet. 

    Can someone else help ? ^^

Security Highlight