I have configured a L2TP VPN (client-server) which works without problems, with all users. However, I note that all customer traffic passes through the tunnel.
One way to avoid this, in Windows, is by changing the configuration of the vpn network adapter so that it does not use the remote network gateway and adding the static routes of the networks I want to reach.
My query is, is it possible that those routes are added by default from the VPN server ..? and that they are available only when it is working ..?
The problem is that if I add it manually, when this laptop is in the office, it will not find the local networks.
In summary, I just want the requests from the networks I need to go through the tunnel, the rest that goes on the Internet.
You can not push any routes from your VPN Server to your VPN client… Any route needed must be manually set between the Server and the Client…
However if your VPN is implemented right, you do not need any routes between the server and the client… The only part that you can’t skip is to remove the default gateway from the windows machine.. other than that you should be able to reach everything…
Take a look at this example… Lets say i have an L2TP/IPsec server with address 10.10.10.1 and a L2TP/IPsec client connected to this server and assigned the address 10.10.10.2…
The L2TP/IPsec Server has a Lan subnet of 192.168.198.0/24 and i want to access the server with address e.g 192.168.198.10…
So the only thing i will do from the server’s side is to add a dst-nat rule with in-interface the L2TP, dst-address e.g 10.10.10.10 and dst-nat to addresses 192.168.198.10.
So when the VPN client wants to open a remote session with the server, it will use the address 10.10.10.10 and will then be dst-nated to the server’s address 192.168.198.10…
No routes were added…They are not needed…
If you add these routes with gateway IP 0.0.0.0 and state the IF parameter as the number of the VPN interface, they become active only when the VPN interface is up, and it doesn’t matter what IP address the server side assigns to the Windows and what IP it uses on its end of the tunnel. And if you add the routes with a -p parameter, they survive a reboot so you can add them once and forget about them.
Other than that, the Windows’ embedded VPN client systematically uses a DHCPINFORM message, asking the server for an Option 249 carrying a route list. After years of complete ignorance of that, Mikrotik started to support this feature, but only for the IKEv2 VPN, where the list of subnets configured in the split-include parameter of an /ip ipsec mode-config item is used to form the Option 249 contents.
The Windows’ embedded client can only interwork with Mikrotik on IKEv2 if used with a certificate-based authentication, and to date the certificate must be a machine one - user certificates are not supported (yet, according to Mikrotik). But if none of these is a limitation for you, it has a significant advantage over the L2TP/IPsec, as it doesn’t suffer from the problem of multiple clients behind a common NAT which complicates larger deployments of L2TP/IPsec VPNs.
If you add these routes with gateway IP 0.0.0.0 and state the IF parameter as the number of the VPN interface, they become active only when the VPN interface is up, and it doesn’t matter what IP address the server side assigns to the Windows and what IP it uses on its end of the tunnel. And if you add the routes with a -p parameter, they survive a reboot so you can add them once and forget about them.
That recursive persistent route would only be helpful in case the client is assigned an address that is different from the subnet we want to reach…
Also i do not like the idea of persistent routes… And those routes are certainly not a must and they can be avoided…
So, @abonilla4, you do not really need a route for every network you want to reach…
If you want to reach e.g 5 networks you will have to add 5 routes on the computer and when something changes you will have to edit the routing table of your client’s computer… Which is not really time effective to me…
You can have the whole control from your Mikrotik…