VPN - default gateway for site to site VPN


When a [VPN](/vpn) client connects to a VPN server using VPN software such as AnyConnect, whether or not the client receives a default gateway will depend on several factors.

Examine the following configuration parameters of a VPN interface on a Windows computer:

```
C:UsersVPN>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : VPN-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.10.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
```

This client has connected to a Cisco [ASA](/asa) using AnyConnect.  Note that the value for the default gateway is empty.  

What you will find is that if you enabled [split tunneling](/vpn-split-tunneling) on the ASA, you will see no default gateway. If you’ve disabled split tunneling, then the first IP from the client’s [IPv4](/ipv4) address and [subnet mask](/ipv4-subnet-mask) combination will be chosen as the default gateway. 

There is no way to configure this parameter as it is hard coded into the way AnyConnect works.

In actuality, the default gateway of a VPN client is really of no consequence. The default gateway is only significant when configured on an interface in a more traditional setting. However, when using VPNs such as AnyConnect, which uses a virtual interface, it doesn’t need a default gateway. The VPN connection is being treated as a point to point connection, so you really don’t care about the next hop IP. You just send everything out of the virtual interface.

The routing logic of an AnyConnect client is that all interesting traffic is sent to the upstream VPN peer using the encrypted link. This link uses the peer address and not a default gateway address. So the actual value in the default gateway, whether blank or anything else, is just ignored.

Similarly, in a point to point VPN configuration, routers don't need a [default gateway configured](/vpn-default-gateway-for-site-to-site-vpn), or even routing information configured, to route traffic over the VPN.

Links:

https://forum.networklessons.com/t/cisco-asa-anyconnect-remote-access-vpn/833/125?u=lagapides

https://networklessons.com/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn

VPN - default gateway of VPN client

TCP - factors affecting segment size

TCP - role of checksum field

TCP MSS and window size

TCP RST flag

TCP SYN timeout

TCP header options

TCP phantom byte

TCP-IP model

TFTP

Tcl Shell

Telnet

Time to live

Traceroute - Interpreting output

Traceroute asterisk and !H responses

Traceroute

Transparent Cisco IOS Firewall use cases

Transport Layer port number

Troubleshooting - using Telnet to test transport layer ports

Troubleshooting a slow network

Troubleshooting high CPU and memory usage on a switch

UDP - Header

UDP - Maximum Datagram Size

Unicast Reverse Path Forwarding (uRPF)

Unicast traffic

Unknown unicast traffic

Upgrade your R&S skills to modern networking

VACL - Changes to ACL are active immediately

VLAN - Extended Range

VLAN - Native VLAN best practices

VLAN - Native VLAN on a router on a stick

VLAN - Private VLAN

VLAN - VLAN IDs 0 and 4095

VLAN Access Lists

VLAN Mapping

VLAN SVI status

VLAN Tag

VLAN control frames

VLAN

VLANs - 802.1Q tunneling (QinQ)

VLANs - Dynamic VLAN membership (VMPS)

VLANs - QinQ and CDP

VLANs - Vlans allowed and active in management domain

VLANs - when a tagged frame arrives on an access port

VLANs SVI

VPN - IKEv2 peer address of 0.0.0.0 0.0.0.0

VPN - crypto keepalive

VPN - split tunneling

VPN DVTI tunnel source

VRF - Definition mode

VRF - VPNv4 address

VRF capability vrf-lite command

VRF lite route leaking

VRF sharing across multiple routers

VRF use cases

VRRP - Virtual IP doesn't respond to pings

VRRP - load balancing

VRRP - support for authentication

VRRP - using the same ID on different interfaces

VRRP - using the same ID on subinterfaces

VRRP on sub-interfaces

VTP - Client can't modify VLANs

VTP - Multiple Servers with VTP version 2

VTP - Per interface configuration

VTP - Revision Numbers on transparent switch

VTP - Versions

VTP - domain name automatically changes

VTP - employing in an emulator

VTP - protecting switches from lower revision numbers

VTP Advertisements

VTP configuration checklist

VTP filtering shared VLANs

VTP how to disable the VLAN trunking protocol

VTP operation over trunks

VTP primary server

VTP revision number maximum

VTP revision number reset

VTP revision number

VXLAN - Use Cases

VXLAN - VLAN to VNI mapping

VXLAN - using an MP-BGP EVN control plane

VXLAN access trunk port

VXLAN

Value of Cisco certifications

Very-high-bit-rate  Digital Subscriber Line (VDSL)

Virtual Private LAN Service (VPLS)

Virtual Private Wire Service (VPWS)

Virtual Router Redundancy Protocol (VRRP)

Virtual Template Configuration

Virtualization functions - definition of terms

VoIP - Anatomy of a voice communication

VoIP - Configuring a switch port for use with an IP phone

VoIP - Voice VLAN

VoIP IP phone registration issues

VPN - default gateway of VPN client

Links to this page: