Partial split tunnelling using Windows L2TP/IPsec.

Security Gateway Articles and How to's
Post Reply
Peter
Posts: 611
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Partial split tunnelling using Windows L2TP/IPsec.

Post by Peter » 02 Dec 2014, 16:39

This How-to applies to:
  • Clavister Security Gateway 10.x and up.
Description:

I'm using Windows L2TP/IPsec solution but i do not want to send everything through the VPN interface, which is default behavior in Windows L2TP/IPsec implementation.

Update: Further testing has shown that Macintosh systems seems to behave the exact same way as well when it comes to assuming and adding routes based on the IP address received from the IP Pool.

Solution:

This is possible to solve by using "partial" split tunnelling. We say partially as we will use the behavior in Windows were it tries to estimate the size of the network based on the IP address the client gets from the L2TP server. An example on how Windows sets the route based on IP:

If L2TP/IPsec client gets an IP address in the 192.168.x.x. range, Windows assumes a /24 network size.
If L2TP/IPsec client gets an IP address in the 172.16.x.x range, Windows assumes a /16 network size.
If L2TP/IPsec client gets an IP address in the 10.x.x.x range, Windows assumes a /8 network size.

We assume that you have an L2TP/IPsec server up and running, if not please consult either the manual or one of the How-To articles related to L2TP/IPsec such as this one:

viewtopic.php?f=8&t=4491

Lets say we have a corporate network that looks like this:

Code: Select all

Vlan_10 (192.168.130.0/24)---Switch---Clavister---Internet---Client-A
Vlan_20 (192.168.140.0/24)-----|                     |-------Client-B
What we want here is that depending on which client that connects, they should only get access to Vlan_10 or Vlan_20's network. All other traffic should use the client's own internet connection and not be sent through the tunnel.

In this scenario we want Client-A to reach the Vlan_10 network only, and Client-B should only reach the vlan_20 network.

To accomplish this we need to give the two clients an IP address from the L2TP server that is part of the Vlan_10 and Vlan_20 network only. We accomplish this by giving each connecting client a static IP address in the network range they should have access to.

So Client-A will get an IP address in the 192.168.130.xx range and Client-B gets an IP in the 192.168.140.xx range. In this example we are using a local user database, so the option to do this can be found under System->Local User Database->YourDatabase->YourUser.
Static_Client_IP.png
Static_Client_IP.png (13.23 KiB) Viewed 2321 times
Note-1: This is possible using Radius as well by setting a "Framed IP" on each user.
Note-2: The normal IP pool on the L2TP server can be used for normal users that does not want to use "split-tunnelling". They need to send everything into the tunnel though unless they only want to reach the standard Pool network.
Note-3: We do not define any networks behind the user as that is something completely different and should not be used in this scenario.

Once this is done you can configure your L2TP/IPsec client in Windows to NOT use the VPN tunnel for everything by removing the "Use Default Gateway On Remote Network" option on the VPN tunnel configuration.
L2TP_UseDefaultGateway.png
L2TP_UseDefaultGateway.png (32.23 KiB) Viewed 2321 times
Limitations:

1. The primary limitation is that you can not use multiple networks. One network only and that network is part of the IP pool you give the client.
2. IP addresses needs to be reserved in the target network for the connecting clients.
3. The network size varies heavily depending on what kind of IP you give to the client. It is recommend that you examine the size of network Windows assigns by using the "route print" command in Windows after a client has connected.
4. Depending if you want to allow reverse connections to the clients or not, you may have to enable ProxyARP or simply NAT the traffic to/from the target network.

Post Reply