Ignore Network Connector - this is a more advanced type of VPN which is harder to configure, and not available for use on iOS devices.
For IPsec, the device will use your SSL VPN as its router, but it's not always clear which addresses are routed this way. It looks like my iOS 9 iPod Touch is behaving in the same way as a Windows client; you either have a default route (all traffic is sent to the SSL VPN), or a classful (A/B/C) route for whichever network you're on, depending on whether you enabled the "send all traffic" option when creating the configuration.
So, for example, if my internal network is 10.1.0.0/24 and I connect to it with L2TP/IPsec, the PPP interface on my iPod comes up as 10.1.0.100/8, and any traffic for anything on that subnet is transported over the VPN even though it's a much bigger subnet than I actually have (the SSL VPN just follows its own routing rules for traffic which is not destined for the subnet it's on).
Example 1: if I sent traffic from my iPod (10.1.0.100) to something on a different network inside the same classful subnet (e.g. 10.2.0.100) then this would first go to the SSL VPN (because it's covered by the 10.0.0.0/8 route on the client) and from there it would be sent either to the default gateway of the SSL VPN, or via any specific route which was configured.
Example 2: if I sent traffic from my iPod (10.1.0.100) to something on a network inside a different classful subnet (e.g. 192.168.1.100) then this can go two ways:
-- If I have "send all traffic" enabled on the iPod, then the packets would be sent to the SSL VPN as above, and again the VPN would use its own routing tables to work out where to send the packets from there (either to the default gateway, or so a specific gateway configured via a static route)
-- If I have "send all traffic" disabled on the iPod, then these packets will be sent to the default gateway of the iPod because they no longer match the 10.0.0.0/8 route that is configured. From there, they'll be routed/dropped by the gateway as necessary.
So the solution to this depends on what addressing you're using on your DMZ/LAN...Go to the full post