Split tunneling is a feature that you can use in order to define the traffic for the subnets or hosts that must be encrypted. Client can use the Internet (browser) and VPN connection in parallel. This involves the configuration of an Access Control List (ACL) that will be associated with this feature. The traffic for the subnets or hosts that are defined on this ACL will be encrypted over the tunnel from the client-end, and the routes for these subnets are installed on the PC routing table.

split

Complete these steps in order to move from the Tunnel-all (default) configuration to the Split-tunnel configuration:

Navigate to Configuration > Remote Access VPN > Group Policies:

sp-1

Click Edit, and use the navigation tree in order to navigate to Advanced > Split Tunneling. Uncheck the Inherit checkbox in the Policy section, and select Tunnel Network List Below from the drop-down menu:

sp-2

Uncheck the Inherit checkbox in the Network List section, and click Manage in order to select the ACL that specifies the LAN network(s) to which the client needs access:

sp-3

Click Standard ACLAdd, Add ACL, and then ACL name:

sp-4

Click Add ACE in order to add the rule:

sp-5

Click OK.

sp-6

Click Apply.

Once connected, the routes for the subnets or hosts on the split ACL are added to the routing table of the client machine. On Microsoft Windows machines, this can be viewed in the output of the route print command. The next hop for these routes will be an IP address from the client IP pool subnet (usually the first IP address of the subnet):

C:\Users\admin>route print
IPv4 Route Table
======================================================================
Active Routes:
 Network Destination      Netmask    Gateway      Interface    Metric
       0.0.0.0            0.0.0.0   10.106.44.1  10.106.44.243  261
    10.10.10.0      255.255.255.0    10.10.11.2  10.10.11.1     2   

!! This is the split tunnel route.

On MAC OS machines, enter the netstat -r command in order to view the PC routing table:

$ netstat -r
Routing tables
Internet:
Destination        Gateway            Flags Refs  Use  Netif Expire
default            hsrp-64-103-236-1. UGSc   34   0    en1
10.10.10/24        10.10.11.2         UGSc    0   44   utun1

!! This is the split tunnel route.