When you configure Mobile VPN for your remote users, you must choose whether you want their general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can affect your network security because Internet traffic that does not go through the tunnel is not filtered or encrypted
In your configuration, you specify your choice with the tunnel route you select: default-route VPN or split tunnel VPN.
The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the XTM device. Then, the traffic is sent back out to the Internet. With this configuration (known as default-route VPN), the XTM device is able to examine all traffic and provide increased security, although it uses more processing power and bandwidth. When you use default-route VPN, a dynamic NAT policy must include the outgoing traffic from the remote network. This allows remote users to browse the Internet when they send all traffic to the XTM device.
Another configuration option is to enable split tunneling. This configuration enables users to browse the Internet without the need to send Internet traffic through the VPN tunnel. Split tunneling improves network performance, but decreases security because the policies you create are not applied to the Internet traffic. If you use split tunneling, we recommend that each client computer have a software firewall.
The native VPN clients on Android and iOS devices do not support split tunneling.
In Windows XP, Windows 7, and Mac OS X, the default setting for an L2TP connection is default-route. Your XTM device must be configured with dynamic NAT to receive the traffic from an L2TP user. Any policy that manages traffic going out to the Internet from behind the XTM device must be configured to allow the L2TP user traffic.
When you configure your default-route VPN:
If your VPN client supports split tunneling, on the client computer, edit the L2TP connection properties to not send all traffic through the VPN.
To enable L2TP split tunneling in Windows 8:
To enable L2TP split tunneling in Windows 7:
To enable L2TP split tunneling in Windows XP:
L2TP routing is defined by the client computer. If you do not select the Use default gateway on remote network check box, the client computer routes traffic through the VPN tunnel only if the traffic destination is the /24 subnet of the virtual IP address assigned to the client computer. For example, if the client is assigned the virtual IP address 10.0.1.225, traffic destined for 10.0.1.0/24 network is routed through VPN tunnel, but traffic destined for 10.0.2.0 is not.
Add Network Dynamic NAT Rules