When a VPN client connects to a VPN server using VPN software such as AnyConnect, whether or not the client receives a default gateway will depend on several factors.
Examine the following configuration parameters of a VPN interface on a Windows computer:
C:UsersVPN>ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : VPN-PC Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection 3: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64 Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.10.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 8.8.8.8 NetBIOS over Tcpip. . . . . . . . : Enabled
This client has connected to a Cisco ASA using AnyConnect. Note that the value for the default gateway is empty.
What you will find is that if you enabled split tunneling on the ASA, you will see no default gateway. If you’ve disabled split tunneling, then the first IP from the client’s IPv4 address and subnet mask combination will be chosen as the default gateway.
There is no way to configure this parameter as it is hard coded into the way AnyConnect works.
In actuality, the default gateway of a VPN client is really of no consequence. The default gateway is only significant when configured on an interface in a more traditional setting. However, when using VPNs such as AnyConnect, which uses a virtual interface, it doesn’t need a default gateway. The VPN connection is being treated as a point to point connection, so you really don’t care about the next hop IP. You just send everything out of the virtual interface.
The routing logic of an AnyConnect client is that all interesting traffic is sent to the upstream VPN peer using the encrypted link. This link uses the peer address and not a default gateway address. So the actual value in the default gateway, whether blank or anything else, is just ignored.
Similarly, in a point to point VPN configuration, routers don't need a default gateway configured, or even routing information configured, to route traffic over the VPN.
Links:
https://forum.networklessons.com/t/cisco-asa-anyconnect-remote-access-vpn/833/125?u=lagapides
https://networklessons.com/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn
