Contents

Related Topics

Options for Internet Access Through a Mobile VPN with L2TP Tunnel

When you configure Mobile VPN for your remote users, you must choose whether you want their general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can affect your network security because Internet traffic that does not go through the tunnel is not filtered or encrypted
In your configuration, you specify your choice with the tunnel route you select: default-route VPN or split tunnel VPN.

Default-Route VPN

The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration (known as default-route VPN), the Firebox is able to examine all traffic and provide increased security, although it uses more processing power and bandwidth. When you use default-route VPN, a dynamic NAT policy must include the outgoing traffic from the remote network. This allows remote users to browse the Internet when they send all traffic to the Firebox.

Split Tunnel VPN

Another configuration option is to enable split tunneling. This configuration enables users to browse the Internet without the need to send Internet traffic through the VPN tunnel. Split tunneling improves network performance, but decreases security because the policies you create are not applied to the Internet traffic. If you use split tunneling, we recommend that each client computer have a software firewall.

The native VPN clients on Android and iOS devices do not support split tunneling.

Default-Route VPN Setup for Mobile VPN with L2TP 

In Windows XP, Windows 7, and Mac OS X, the default setting for an L2TP connection is default-route. Your Firebox must be configured with dynamic NAT to receive the traffic from an L2TP user. Any policy that manages traffic going out to the Internet from behind the Firebox must be configured to allow the L2TP user traffic.

When you configure your default-route VPN:

  • Make sure that the IP addresses you have added to the L2TP address pool are included in your dynamic NAT configuration on the Firebox.
    From Policy Manager, select Network > NAT.
  • Edit your policy configuration to allow connections from the L2TP-Users group through the external interface.
    For example, if you use WebBlocker to control web access, add the L2TP-Users group to the proxy policy that is configured with WebBlocker enabled.

Split Tunnel VPN Setup for Mobile VPN with L2TP

If your VPN client supports split tunneling, on the client computer, edit the L2TP connection properties to not send all traffic through the VPN.

For Windows 10 you must use Windows PowerShell to edit the L2TP VPN connection:

  1. In the Windows search bar, type powershell.
  2. In the search results, select Windows PowerShell.
    The PowerShell command interface window appears.
  3. To see the list of VPNs, type this command: get-vpnconnection
    The configuration of all available Windows VPNs appears in the PowerShell window.
  4. Identify the name of the L2TP mobile VPN connection you want to change, for example My Mobile VPN.
  5. To enable split tunneling for this VPN connection type:
    set -vpnconnection -Name "My Mobile VPN" -SplitTunneling $true
  6. To disable split tunneling for this VPN connection, type:
    set -vpnconnection -Name "My Mobile VPN" -SplitTunneling $false
  7. To exit PowerShell, type exit.

To enable L2TP split tunneling in Windows 8:

  1. From the Windows 8 charm menu, select Settings.
  2. Select Network.
    The Connections list appears.
  3. In the Connection list, right click the VPN connection name.
  4. Click View connection properties.
    The VPN Properties dialog box appears.
  5. Select the Networking tab.
  6. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
  7. On the General tab, click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  8. On the IP Settings tab, clear the Use default gateway on remote network check box.

To enable L2TP split tunneling in Windows 7:

  1. Select Control Panel > Network and Internet > Connect to a network.
  2. Right click the L2TP VPN connection and select Properties.
    The VPN properties dialog box appears.
  3. Select the Networking tab.
  4. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
  5. Click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  6. On the IP Settings tab, clear the Use default gateway on remote network check box.

To enable L2TP split tunneling in Windows XP:

  1. Select Start > Control Panel > Network Connections.
  2. Right click the L2TP VPN connection and select Properties.
    The VPN properties dialog box appears.
  3. Select the Networking tab.
  4. Select Internet Protocol (TCP/IP) in the list and click Properties.
  5. Click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  6. On the General tab, clear the Use default gateway on remote network check box.

About L2TP Routes

L2TP routes are defined by the client computer. If you do not select the Use default gateway on remote network check box, the client computer routes traffic through the VPN tunnel only if the traffic destination matches a route through the VPN on the client computer.

Most client computers set the route based on the apparent subnet class of the virtual IP address. For example, a virtual IP address of 10.0.10.25 is part of the RFC-1918 standard class A subnet 10.0.0.0/8, so the client creates a route to that entire subnet for the VPN connection. This client behavior could vary based on the computer OS and OS version.

See Also

Add Network Dynamic NAT Rules

Give Us Feedback     Get Support     All Product Documentation     Technical Search