Configuring Split tunneling in L2TP/IPSec using an MS DHCP server

Security Gateway Articles and How to's
Post Reply
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Configuring Split tunneling in L2TP/IPSec using an MS DHCP server

Post by Peter » 11 Mar 2016, 11:43

This How-to applies to:
  • Clavister Security Gateway 9.x and up.

I'm using Windows L2TP/IPsec solution but i do not want to send everything through the VPN interface, which is default behavior in Windows L2TP/IPsec implementation.


When an L2TP/IPsec client connects, it will in the L2TP connection send a DHCP inform where it request that the server forwards any additional DHCP options that may be configured. One of the options it requests is Static Route.

Solution in a few simple steps.
  • 1. Configure a DHCP Relay listening on the L2TP Interface that forwards the request to an MS DHCP Server.
    2. Configure the DHCP Scope in Windows to only include the IP and subnet of the L2TP Interface and remove any unused options (i.e. DNS, router and so on)
    3. Add option 121 with the routes needed, with the IP of the L2TP Interface as router IP
This solution has been tested on both OS X and Windows clients.

Note: Some users may wonder why we cannot use the DHCP server in cOS Core itself, the reason for this is that our DHCP server do not send the specific option format the client needs in order to accept the route. This is a known limitation and may be subject to change in the future, using an MS DHCP server is a fairly good workaround until then. The developer ID for this issue is COP-15720.

Post Reply