Hello Cisco community!    I got a 1921 with a security license applied, i'm trying to create a Remote Access VPN using Split Tunneling, I have configured an L2TP/IPsec connection on a 5506X but I have never configured one on a router. I've seen a few Cisco documents about creating L2TP or IPsec VPNs and I am successful in those configurations, being able to connect to the VPN and access local shares but I am unable to get to the internet. It appears the client is not getting a default gateway or possibly there is a routing or ACL issue, but i'm not having any luck determining what is a miss. When connected to the VPN using the config below I am able to ping a resource, reply IP shows as coming from my public IP. I am able to ping my public IP, reply IP shows as coming from my public IP. I am not able to ping google or navigate to the IP address of a public web server. Any help would be grateful.   The Cisco links i have used for configuring either IPsec or L2TP/IPsec IPsec:  https://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html L2TP/IPsec:  https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/3886-l2tp-3886.html#iosforl2tp   hostname R1921 ! boot-start-marker boot-end-marker ! ! enable secret 5 # ! aaa new-model ! ! aaa authentication login default local aaa authentication login userauthen local aaa authorization network default local aaa authorization network groupauthor local ! ! ! ! ! aaa session-id common ! ! no ipv6 cef ip source-route ip cef ! ! ! ! ! ip domain name DOMAIN.LOCAL ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! ! license udi pid CISCO1921/K9 sn FHK14397471 license boot module c1900 technology-package securityk9 ! ! username user1 password 7 # ! redundancy ! crypto ikev2 policy 10 ! Policy Incomplete(should have atleast one complete proposal attached) ! ! ! ip ssh version 2 ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 lifetime 3600 ! crypto isakmp client configuration group vpnclient key cisco123 dns 4.2.2.2 domain DOMAIN.LOCAL pool VPN_IPPOOL ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! ! ! interface Loopback0 description VPN_GATEWAY ip address 172.16.17.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description ISP ip address dhcp ip nat outside ip virtual-reassembly in ip policy route-map VPN-CLIENT duplex auto speed auto crypto map clientmap ! interface GigabitEthernet0/1 description INSIDE ip address 172.16.16.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! ip local pool VPN_IPPOOL 192.168.1.1 192.168.1.50 ip forward-protocol nd ! ip http server ip http secure-server ! ip nat inside source list NAT interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 ###.###.###.### 254 ! ip access-list extended NAT permit ip any any ! logging trap debugging access-list 144 permit ip 192.168.1.0 0.0.0.255 any access-list 144 permit ip 172.16.16.0 0.0.0.255 any ! ! ! ! route-map VPN-Client permit 10 match ip address 144 set ip next-hop 172.16.17.1 ! ! ! ! ! control-plane ! ! alias exec srb show run | b alias exec sib show ip int brief ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 0 0 logging synchronous transport input ssh line vty 5 15 exec-timeout 0 0 logging synchronous transport input ssh ! scheduler allocate 20000 1000 end ... View more