Description

I’m using the Windows L2TP/IPsec client but I do not want to send everything through the VPN interface, which is the default behavior in the Windows L2TP/IPsec implementation.

Solution

When an L2TP/IPsec client connects to a NetWall firewall, it will send a DHCP inform message in the L2TP connection to request that the server forwards any additional DHCP options that may be configured. One of the options it requests is “Static Route”.

A solution in a few simple steps:

1. Configure a DHCP Relay object in cOS Core that listens on the relevant L2TP Interface and forwards requests to the MS DHCP Server.
   2. Configure the DHCP Scope in Windows to only include the IP and subnet of the L2TP Interface and remove any unused options (i.e. DNS, router and so on).
   3. Add option 121 with the routes needed, with the IP of the L2TP Interface as the router IP.

Note that this solution has been tested by Clavister with both OS X and Windows clients.

Note: Some administrators may wonder why we cannot use a DHCP server that is set up in cOS Core itself. The reason for this is that the cOS Core DHCP server does not send the specific option format that the client needs in order to accept the route. This is a known limitation in cOS Core and may be subject to change in the future. Using an MS DHCP server is a good workaround until then (note that the internal Clavister R&D ID for this issue is COP-15720).

Related articles