Options for Internet Access Through a Mobile VPN with L2TP Tunnel

When you configure Mobile VPN for your remote users, you must choose whether you want their general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can affect your network security because Internet traffic that does not go through the tunnel is not filtered or encrypted
In your configuration, you specify your choice with the tunnel route you select: default-route VPN or split tunnel VPN.

Default-Route VPN

The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the XTM device. Then, the traffic is sent back out to the Internet. With this configuration (known as default-route VPN), the XTM device is able to examine all traffic and provide increased security, although it uses more processing power and bandwidth. When you use default-route VPN, a dynamic NAT policy must include the outgoing traffic from the remote network. This allows remote users to browse the Internet when they send all traffic to the XTM device.

Split Tunnel VPN

Another configuration option is to enable split tunneling. This configuration enables users to browse the Internet without the need to send Internet traffic through the VPN tunnel. Split tunneling improves network performance, but decreases security because the policies you create are not applied to the Internet traffic. If you use split tunneling, we recommend that each client computer have a software firewall.

The native VPN clients on Android and iOS devices do not support split tunneling.

Default-Route VPN Setup for Mobile VPN with L2TP 

In Windows XP, Windows 7, and Mac OS X, the default setting for an L2TP connection is default-route. Your XTM device must be configured with dynamic NAT to receive the traffic from an L2TP user. Any policy that manages traffic going out to the Internet from behind the XTM device must be configured to allow the L2TP user traffic.

When you configure your default-route VPN:

Split Tunnel VPN Setup for Mobile VPN with L2TP

If your VPN client supports split tunneling, on the client computer, edit the L2TP connection properties to not send all traffic through the VPN.

To enable L2TP split tunneling in Windows 8:

  1. From the Windows 8 charm menu, select Settings.
  2. Select Network.
    The Connections list appears.
  3. In the Connection list, right click the VPN connection name.
  4. Click View connection properties.
    The VPN Properties dialog box appears.
  5. Select the Networking tab.
  6. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
  7. On the General tab, click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  8. On the IP Settings tab, clear the Use default gateway on remote network check box.

To enable L2TP split tunneling in Windows 7:

  1. Select Control Panel > Network and Internet > Connect to a network.
  2. Right click the L2TP VPN connection and select Properties.
    The VPN properties dialog box appears.
  3. Select the Networking tab.
  4. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
  5. Click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  6. On the IP Settings tab, clear the Use default gateway on remote network check box.

To enable L2TP split tunneling in Windows XP:

  1. Select Start > Control Panel > Network Connections.
  2. Right click the L2TP VPN connection and select Properties.
    The VPN properties dialog box appears.
  3. Select the Networking tab.
  4. Select Internet Protocol (TCP/IP) in the list and click Properties.
  5. Click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  6. On the General tab, clear the Use default gateway on remote network check box.

L2TP routing is defined by the client computer. If you do not select the Use default gateway on remote network check box, the client computer routes traffic through the VPN tunnel only if the traffic destination is the /24 subnet of the virtual IP address assigned to the client computer. For example, if the client is assigned the virtual IP address 10.0.1.225, traffic destined for 10.0.1.0/24 network is routed through VPN tunnel, but traffic destined for 10.0.2.0 is not.

See Also

Add Network Dynamic NAT Rules

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base