KB ID 0000997
Problem
I was asked yesterday, “When you get five minutes, I need split tunneling setup, when I VPN into a network I lose Internet connectivity”. On inspection he was using the Microsoft VPN client, I jumped on the VPN device to discover it was a Cisco IOS router.
What I discovered was, unlike the firewall VPN’s I’m used to, you DONT set split tunneling up on the VPN device, you set it up on the client, (and its a bit clunky – sorry!)
Solution
1. Windows Key + R > ncpa.cpl {Enter} > Locate the VPN connection > Right Click > Properties > Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced.
2. Untick “Use default gateway on remote network” > OK > OK > OK.
BE AWARE: There is a downside to doing this, as site visitor Clayton Webb points out;
“Unchecking that default gateway is a godsend, until end users use their laptops for torrents, malware, etc. If you have the time I’d recommend a direct access setup for company equipment. VPN w/ NPS health validators for non-company equipment.”
I agree, I would only ever see this as a temporary solution for the ‘technically savvy’.
3. WARNING: At this point you may find you can connect to the VPN, and your Internet now works, (hooray!) But you can no longer talk to any servers or systems on the site you are VPN’d into. This is a Windows routing problem, lets take a look at what IP address I’m getting from the VPN Device.
Above you can see Ive got an IP address of 192.168.2.207, and in my case I don’t have a default gateway (this is not unusual, yours may be the same or you may have a default gateway as well).
4. If you open a command window and issue a ‘route print’ command, you can see the reason I don’t have a default gateway is my gateway is may actual IP address (again this is not unusual, In my case I need to remember 192.168.2.207, if you have a different gateway listed thats the one you need to take notice of).
5. Run a command window (as administrator) and issue a ‘route add‘, command like below.
Note: -P Adds the route persistently (will remain after a reboot). The network you are trying to get to will probably be a different network, to the network IP you are being leased to you by the VPN device. If you have multiple networks you will need a ‘route add’ for each one.
6. To demonstrate; below I can’t get to 192.168.1.1, I then enter the ‘route add’ command, and after that I can get to 192.168.1.1.
Note: I’m not adding my route as persistent!
Related Articles, References, Credits, or External Links
Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients