Internet Access Through a Mobile VPN with L2TP Tunnel

There are two ways a mobile L2TP VPN client can route traffic to the Internet for mobile VPN users:

Default-route (full tunnel)

Default-route is the most secure option because it routes all Internet traffic from a remote user through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration, the Firebox can examine all traffic and provide increased security. Be aware that this option requires more processing power and bandwidth.

Default route is the default option for all mobile VPN types on the Firebox.

Split tunnel

The Firebox supports connections from Mobile VPN with L2TP clients configured for split tunneling. However, you must manually configure L2TP clients for split tunneling. For example, you must manually add routes on the client computer for each remote network that you require access to.

We do not provide customer support for split tunnel configurations on L2TP clients. See the documentation provided by your VPN client vendor.

If you require split tunneling, we recommend that you use Mobile VPN with SSL. For information about Mobile VPN with SSL and split tunneling, see Options for Internet Access Through a Mobile VPN with SSL Tunnel.

Default-Route VPN Setup for Mobile VPN with L2TP 

On most operating systems, the default setting for an L2TP connection is default-route (full tunnel). To determine whether your operating system uses default-route (full tunnel), verify the settings in your operating system. For mobile operating systems, you cannot disable this setting.

Your Firebox must be configured with dynamic NAT to receive the traffic from an L2TP user. Any policy that manages traffic going out to the Internet from behind the Firebox must be configured to allow the L2TP user traffic.

If you configure a default-route VPN:

  • Make sure that the IP addresses you have added to the L2TP address pool are included in your dynamic NAT configuration on the Firebox. This allows remote users to browse the Internet when they send all traffic to the Firebox.
    From Policy Manager, select Network > NAT.
  • Edit your policy configuration to allow connections from the L2TP-Users group through the external interface.
    For example, if you use WebBlocker to control web access, add the L2TP-Users group to the proxy policy that is configured with WebBlocker enabled.

Enable Full Tunneling (Default Route) in Windows

See Also

Mobile VPN with L2TP

Add Network Dynamic NAT Rules