Configuring Split tunneling in L2TP/IPsec using an MS DHCP server

Last modified on 2 Dec, 2022. Revision 12
How to configure split tunneling in L2TP/IPsec using an MS DHCP server
Up to date for
cOS Core 14.00.06
Supported since
cOS Core 9.x
Status OK
Peter Nilsson


I’m using the Windows L2TP/IPsec client but I do not want to send everything through the VPN interface, which is the default behavior in the Windows L2TP/IPsec implementation.


When an L2TP/IPsec client connects, it will send a DHCP inform message in the L2TP connection to request that the server forwards any additional DHCP options that may be configured. One of the options it requests is Static Route.

A solution in a few simple steps:

  1. Configure a DHCP Relay listening on the L2TP Interface that forwards the request to an MS DHCP Server.
    2. Configure the DHCP Scope in Windows to only include the IP and subnet of the L2TP Interface and remove any unused options (i.e. DNS, router and so on).
    3. Add option 121 with the routes needed, with the IP of the L2TP Interface as router IP.

This solution has been tested on both OS X and Windows clients.

Note: Some users may wonder why we cannot use the DHCP server in cOS Core itself. The reason for this is that the cOS Core DHCP server does not send the specific option format the client needs in order to accept the route. This is a known limitation and may be subject to change in the future. Using an MS DHCP server is a good workaround until then. The Clavister R&D ID for this issue is COP-15720.

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Partial split tunneling when using Windows L2TP/IPsec
27 Jan, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
How to setup a simple cloud-init environment for testing
30 Nov, 2020 howto core cloud-init dhcp
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory