<VPNProfile> <NativeProfile> <Servers>vpn.contoso.com</Servers> <NativeProtocolType>IKEv2</NativeProtocolType> <Authentication> <MachineMethod>Certificate</MachineMethod> </Authentication> <RoutingPolicyType>SplitTunnel</RoutingPolicyType> <!-- disable the addition of a class based route for the assigned IP address on the VPN interface --><DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute> </NativeProfile> <!-- use host routes(/32) to prevent routing conflicts --> <Route> <Address>10.10.0.2</Address> <PrefixSize>32</PrefixSize> </Route> <Route> <Address>10.10.0.3</Address> <PrefixSize>32</PrefixSize> </Route> <!-- traffic filters for the routes specified above so that only this traffic can go over the device tunnel --> <TrafficFilter> <RemoteAddressRanges>10.10.0.2, 10.10.0.3</RemoteAddressRanges> </TrafficFilter><!-- need to specify always on = true --> <AlwaysOn>true</AlwaysOn> <!-- new node to specify that this is a device tunnel --> <DeviceTunnel>true</DeviceTunnel><!--new node to register client IP address in DNS to enable manage out --><RegisterDNS>true</RegisterDNS></VPNProfile>
The above code snippet is from the official documentation as an example XML for a device tunnel profile. https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config
Can someone please explain the Route and TrafficFilter settings to me?
Let's say your VPN server is handing out addresses of 172.16.30.0/24 and your internal network resources live on 10.70.10.0/24.
How would you configure the XML file to allow the device tunnel to access resources on your internal network and how does the TrafficFilter setting play into this?
Also, would it make more sense to use splittunnel or forcetunnel for the device? The example is split but I am trying to understand the pros and cons of forcetunnel vs splittunnel for both user and device profiles.