Problem Description

We have a scenario where a Windows L2TP/IPsec client is connecting to a NetWall firewall. However, we do not want to send everything through the VPN interface,which is default behavior in Windows L2TP/IPsec implementation (this is sometimes referred to as ‘Split Tunneling’). This article discusses a way to at least partially achieve split tunneling, depending on the network that the client wants to reach. A limitation of the method is that the network used will depend on the IP address that the client is assigned. This limitation is discussed further in the solution section below.

Note: Apple Mac clients seem to behave in the same way as Windows clients when it comes to assuming and adding routes based on the IP address received from the IP Pool. This article will, however, only go into detail with the Windows client.

Problem Solution

It is possible to solve the problem by using “partial” split tunneling. We describe it as “partial” because we will use the behavior in Windows where it tries to estimate the size of the network based on the IP address that the client gets from the L2TP server. Examples of how Windows sets the route based on the IP are the following:

• If L2TP/IPsec client gets an IP address in the 192.168.x.x. range, Windows assumes a /24 network size.
• If L2TP/IPsec client gets an IP address in the 172.16.x.x range, Windows assumes a /16 network size.
• If L2TP/IPsec client gets an IP address in the 10.x.x.x range, Windows assumes a /8 network size.

We will assume that the L2TP/IPsec server is up and running using a standard setup. We will also assume that we have the corporate network setup illustrated by the following diagram:

What we want is that, depending on which client connects, they should only get access to Vlan_10 or Vlan_20’s network. All other traffic should use the client’s own internet connection and not be sent through the tunnel.

In this scenario we want Client-A to reach the Vlan_10 network only, and Client-B should only reach the vlan_20 network.

To accomplish this we need to give the two clients an IP address from the L2TP server that is part of the Vlan_10 and Vlan_20 network only. We accomplish this by giving each connecting client a static IP address in the network range they should have access to.

So Client-A will get an IP address in the 192.168.130.xx range and Client-B gets an IP in the 192.168.140.xx range. In this example we are using a local user database, so the option to do this can be found in the cOS Core WebUI under *System > Local User Database > database-name > user-name *

Note-1: This is also possible using Radius by setting a “Framed IP” on each user.
Note-2: The normal IP pool on the L2TP server can be used for normal users that do not use “split-tunneling”. They need to send everything into the tunnel though unless they want to reach the standard Pool network.
Note-3: We do not define any networks behind the user as that is something completely different and is not used in this scenario.

Once this is done we can configure the L2TP/IPsec client in Windows to NOT use the VPN tunnel for everything by removing the “Use Default Gateway On Remote Network” option on the VPN tunnel configuration.

Solution Limitations

1. The main limitation is that we can not use multiple networks. One network only can be used and that network is part of the IP pool we give to the client.
2. IP addresses needs to be reserved in the target network for the connecting clients.
3. The network size varies heavily depending on what kind of IP we give to the client. It is recommended to examine the size of the network Windows assigns by using the "route print" command in Windows after a client has connected.
4. Depending on if we want to allow reverse connections to the clients or not, we may have to enable ProxyARP or simply NAT the traffic to/from the target network.

Related articles