Thanks for these information . Is there any configuration document to have Client VPN split tunneling for Android and IPhone or any other smartphones . 

or can you recommend any App to do this split tunneling.

Also interested in this. Require split tunnel functionality on android 

I find this not very satisfying as I don't want to manually enroll routes on every single client, no matter if it is possible by scripting or not.

Will there be a solution for the routes to be pushed by the VPN DHCP Server via L2TP? It should be possible with DHCP option 121 / 249.

Would using a 3rd party DNS service like Google Cloud DNS solve this? https://cloud.google.com/dns/

When connecting to the VPN you need a local DHCP Server issuing an IP and via DHCP options push the routes that are activated in the Meraki dashboard, so split tunnelling is possible. I don't see how a cloud based DNS would help in that case?

That's what I thought too, but reading further into the Google Cloud DNS and it says this:

When to use Cloud DNS

DNS is a hierarchical distributed database that lets you store IP addresses and other data, and look them up by name. Google Cloud DNS lets you publish your zones and records in the DNS without the burden of managing your own DNS servers and software.

It also mentions Split horizon DNS and lists the ability to manage domain resolution to public IP and domain resolution to internal (private) IP.

Link: https://cloud.google.com/dns/docs/overview

That sure is a nice feature for certain cases, but DNS resolution is not the problem with split tunneling, but the static routing is. As long as the client doens't know that for example 172.0.0.0/8 should go through the tunnel (which Meraki advises to put manually in the routing table of the client) it will try to use the standard interface and not the VPN device and thus fail to reach the host within the 172.0.0.0/8 network.

One sure can activate the the VPN device to be the standard gateway, but then ALL traffic will go through VPN which (for us) is not desirable. We only want to have business traffic going through the VPN tunnel and the rest of the (private) traffic go through the users private connection.

Hey DSchn, ahh so cloud DNS won't work then. So, to achieve split tunnels for local and public domain routing with Meraki equipment, you either have to have your own on-prem DNS server or make the DNS settings manually on the clients?

DNS doesn't have to do anything with VPN at all, at least not regarding split tunneling/routing.

can we automate the routes needed to add into client station and push it from meraki??

>can we automate the routes needed to add into client station and push it from meraki??

Push from Meraki, no.

Automate via AD group policy, yes.

PhilipDAth,

Thanks for the link. I'm using the VPN setup script and it is working great. 

Questions:

1) If I use Meraki cloud authentication do I need the -DNSSuffix "[insert domain name]"? What is this for?

2) Meraki's documentation says to select "Require encryption (disconnect if server declines). Your script uses 

-EncryptionLevel Optional. If I change it to -EncryptionLevel Required, I get an error saying / The current encryption selection requires EAP or MS-CHAPv2 logon security methods. PAP and CHAP do not support
Encryption settings 'Required' or 'Maximum'. : The parameter is incorrect.

Should I be worried about using the Optional encryption level?

Thanks, Jon1

>If I use Meraki cloud authentication do I need the -DNSSuffix "[insert domain name]"? What is this for?

If you go "ping host", windows will append the DNS suffix to the host name to form a FQDN. If you are using Active Directory and want to be able to access hosts using just their name then you'll need this.  Otherwise you wont need it.

>2) Meraki's documentation says to select "Require encryption

An IPSec VPN is bought up first, and then L2TP runs over it.  Everything is encrypted, regardless of the option chosen.

The PowerShell script is working on Windows 10 machines. Win 7 doesn't recognize the add-vpnconnection command. Do I need to add a module to PowerShell? I am running as Administrator. Or is there a different script for Win 7 machines?

Thanks, jon1

You might need to update the version of Powershell you are using - or the OS.  🙂

This is fantastic, thanks so much. 

So, every time we need to have new routes, we need to run a new script. This seems not possible for end-users who are not much technically sound.

is there any development that the routes be pushed from meraki??

>So, every time we need to have new routes, we need to run a new script.

Yes.  Hence why many people deploy this via group policy.  Then you can update all the user machines easily.

You should use the powershell command Add-VpnConnectionRoute.

If you add a bunch of VpnConnectionRoutes to an already defined VpnConnection those routes will only be added when the VPN is dialed.

The script from ifm.net.nz is a great way to set up a split tunnel.  I have tested it manually and it works but when I try to use the script I get the error “Unable to remove existing outdated instance(s)........  Any suggestions?

Have you already for a VPN connection with the same name as you are trying to create?

Are you running it from an Administrative PowerShell?

I did create one manually with the same name but have deleted it to run the script.

Yes, I am running it from an administrative PowerShell?