Showing results for 
Search instead for 
Did you mean: 

Easy VPN hardware clients with VTI configured for no-split tunneling break with the default route pushed by the server


Core issue

This issue is seen with an Easy VPN client router connected to a server with a Virtual Tunnel Interface (VTI) and no-split tunneling configured.

If an Easy VPN client is configured with a static route to the Internet, when the VPN comes up, it gets an additional static route out to the VPN. Therefore, the client ends up with two static routes. This breaks the VPN, as the client is unable to control which static route the traffic takes.


This is the correct and expected behavior. With no-split tunneling, all the traffic needs to be protected over the tunnel. Since VTI uses routing in order to decide which traffic must be protected, a default route needs to be installed in the case of no-split tunneling.

Note: Most routers that run the Cisco Easy VPN Client software have a default route configured. The default route that is configured must have a metric value greater than 1. The route points to the virtual access interface, so that all traffic is directed to the corporate network when the concentrator does not "push" the split tunnel attribute.

Refer to Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) for additional help.
Content for Community-Ad