Split tunneling with cOS Core L2TP/IPsec using an MS DHCP server

Last modified on 28 Mar, 2023. Revision 15
How to configure split tunneling in cOS Core L2TP/IPsec using an MS DHCP server
Up to date for
cOS Core 14.00.06
Supported since
cOS Core 9.x
Status OK
Peter Nilsson


I’m using the Windows L2TP/IPsec client but I do not want to send everything through the VPN interface, which is the default behavior in the Windows L2TP/IPsec implementation.


When an L2TP/IPsec client connects to a NetWall firewall, it will send a DHCP inform message in the L2TP connection to request that the server forwards any additional DHCP options that may be configured. One of the options it requests is “Static Route”.

A solution in a few simple steps:

  1. Configure a DHCP Relay object in cOS Core that listens on the relevant L2TP Interface and forwards requests to the MS DHCP Server.
    2. Configure the DHCP Scope in Windows to only include the IP and subnet of the L2TP Interface and remove any unused options (i.e. DNS, router and so on).
    3. Add option 121 with the routes needed, with the IP of the L2TP Interface as the router IP.

Note that this solution has been tested by Clavister with both OS X and Windows clients.

Note: Some administrators may wonder why we cannot use a DHCP server that is set up in cOS Core itself. The reason for this is that the cOS Core DHCP server does not send the specific option format that the client needs in order to accept the route. This is a known limitation in cOS Core and may be subject to change in the future. Using an MS DHCP server is a good workaround until then (note that the internal Clavister R&D ID for this issue is COP-15720).

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Setting up OSPF with IPsec in cOS Core
16 Apr, 2024 core routing ospf ipsec
cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10
4 Aug, 2023 core ipsec troubleshoot ike
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
How to setup a simple cloud-init environment for testing
30 Nov, 2020 howto core cloud-init dhcp
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover