Configuring Split tunneling in L2TP/IPsec using an MS DHCP server
Last modified on 2 Dec, 2022. Revision 12| Up to date for | cOS Core 14.00.06 |
| Supported since | cOS Core 9.x |
| Status | OK |
| Author | Peter Nilsson |
Description
I’m using the Windows L2TP/IPsec client but I do not want to send everything through the VPN interface, which is the default behavior in the Windows L2TP/IPsec implementation.
Solution
When an L2TP/IPsec client connects, it will send a DHCP inform message in the L2TP connection to request that the server forwards any additional DHCP options that may be configured. One of the options it requests is Static Route.
A solution in a few simple steps:
- Configure a DHCP Relay listening on the L2TP Interface that forwards the request to an MS DHCP Server.
2. Configure the DHCP Scope in Windows to only include the IP and subnet of the L2TP Interface and remove any unused options (i.e. DNS, router and so on).
3. Add option 121 with the routes needed, with the IP of the L2TP Interface as router IP.
This solution has been tested on both OS X and Windows clients.
Note: Some users may wonder why we cannot use the DHCP server in cOS Core itself. The reason for this is that the cOS Core DHCP server does not send the specific option format the client needs in order to accept the route. This is a known limitation and may be subject to change in the future. Using an MS DHCP server is a good workaround until then. The Clavister R&D ID for this issue is COP-15720.
Related articles
11 Jan, 2023 ipsec core vpn
23 Aug, 2022 core certificate oneconnect ipsec vpn
23 Nov, 2022 core ipsec
22 Mar, 2021 core ipsec routing
17 Jun, 2021 core ipsec routing
14 Apr, 2021 core license ipsec
8 Sep, 2020 core ipsec rules access
27 Jan, 2023 ipsec core windows vpn l2tp
1 Dec, 2022 ipsec core
16 Sep, 2020 vpn ipsec ikev2 windows howto dh
7 Dec, 2022 ipsec ike troubleshoot core
14 Dec, 2022 core ipsec
23 Aug, 2022 core ipsec license memory
30 Nov, 2020 howto core cloud-init dhcp
23 Aug, 2022 core connections ipsec memory