I was wondering if it's possible to set up a VPN connection between a Windows XP client and a Cisco IOS router. Where can I find an example to achieve this ? I'm using a Cisco 2620 router with IOS 12.2(13) (3DES).
Yes you can, although the setup on the PC is not overly user-friendly. You have to do L2TP/IPsec as this is what Windows does. Don't have a sample config for this specifically, but this shows you how to set up the PC side of things:
!Configure vpdn group 1 to accept an open tunnel request from remote peers, defines L2TP as the protocol, and identifies virtual-template 1 to use for cloning virtual access interfaces, disable tunnel authentication
no l2tp tunnel authentication
!Creates IKE policy 1, which would be given highest priority if there were additional IKE policies. Specifies policy using Pre Shared Key for authentication, specifies lifetime, key and all source addresses. Note default policy uses DES encryption with Secure Hash Standard, Diffie-Hellman group 1. See "show crypto isakmp policy" below. These settings should match the Windows client General Tab settings shown in the screen captures above.
crypto isakmp policy 1
crypto isakmp key CISCORULES address 0.0.0.0
!Create IPSEC transform set named DOG using DES for ESP and ESP with the MD5 (HMAC variant) authentication algorithm with transport mode. Note, AH is not used. These settings correspond to the WindoZe client IPSEC_Filter settings above.
crypto ipsec transform-set DOG esp-des esp-md5-hmac
!Create dynamic map named SNOOP, specify access list 101 which is used to determine which traffic (L2TP), is to be protected by IPSec. Dynamic crypto maps accept requests for new Security Associations from previously unknown peers after IKE is completed.
crypto dynamic-map SNOOP 1
set transform-set DOG
match address 101
!Create crypto map l2tp (assigned to FastEthernet 0/0), using IKE for Security Associations , use "dynamic-map SNOOP as a template"
crypto map DR_DRE 1 ipsec-isakmp dynamic SNOOP
description Outside interface
ip address 188.8.131.52 255.255.255.0
no ip mroute-cache
no cdp enable
!Assign crypto map DR_DRE to interface
crypto map DR_DRE
description Inside interface
ip address 172.16.53.1 255.255.255.0
no ip redirects
no ip proxy-arp
no ip mroute-cache
no cdp enable
!Create virtual-template interface used for "cloning" virtual-access interfaces using address pool L2TP_POOL with chap authentication. Note, MS-CHAP is not supported with CiscoSecure for Unix.
ip unnumbered FastEthernet0/0
no ip route-cache cef
peer default ip address pool L2TP_POOL
ppp authentication chap
!Creates IP Pool name L2TP_Pool
ip local pool L2TP_POOL 172.16.53.152 172.16.53.200
ip route 0.0.0.0 0.0.0.0 184.108.40.206
no ip http server
!Specifies L2TP traffic as interesting to use with IPSEC
access-list 101 permit udp host 220.127.116.11 any eq 1701
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :