Sometimes with configurations where all traffic is normally to be directed down the tunnel, there is need for direct access to select servers on the Internet. This may be necessary where the hub site does not have the ability to proxy or route the traffic back out to the Internet due to protocol intricacies, for performance reasons as might be the case with VoIP, or for access to AT&T support subnets.

In such cases, it is possible to configure “Internet Routes” which are really individual IP exceptions to “everything down the tunnel” mode. The configuration of such routes includes specification of IP address and subnet mask; these apply at the VPN Gateway level, and cannot be different based on VLAN configuration.