Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Windows XP To IOS VPN ?


I was wondering if it's possible to set up a VPN connection between a Windows XP client and a Cisco IOS router. Where can I find an example to achieve this ? I'm using a Cisco 2620 router with IOS 12.2(13) (3DES).



Cisco Employee

Re: Windows XP To IOS VPN ?

Yes you can, although the setup on the PC is not overly user-friendly. You have to do L2TP/IPsec as this is what Windows does. Don't have a sample config for this specifically, but this shows you how to set up the PC side of things:

The router config will look like the following:

!Enable vpdn

vpdn enable

no vpdn logging


! Default L2TP VPDN group

vpdn-group 1


!Configure vpdn group 1 to accept an open tunnel request from remote peers, defines L2TP as the protocol, and identifies virtual-template 1 to use for cloning virtual access interfaces, disable tunnel authentication



protocol l2tp

virtual-template 1

no l2tp tunnel authentication


!Creates IKE policy 1, which would be given highest priority if there were additional IKE policies. Specifies policy using Pre Shared Key for authentication, specifies lifetime, key and all source addresses. Note default policy uses DES encryption with Secure Hash Standard, Diffie-Hellman group 1. See "show crypto isakmp policy" below. These settings should match the Windows client General Tab settings shown in the screen captures above.


crypto isakmp policy 1

authentication pre-share

lifetime 28800

crypto isakmp key CISCORULES address


!Create IPSEC transform set named DOG using DES for ESP and ESP with the MD5 (HMAC variant) authentication algorithm with transport mode. Note, AH is not used. These settings correspond to the WindoZe client IPSEC_Filter settings above.


crypto ipsec transform-set DOG esp-des esp-md5-hmac

mode transport


!Create dynamic map named SNOOP, specify access list 101 which is used to determine which traffic (L2TP), is to be protected by IPSec. Dynamic crypto maps accept requests for new Security Associations from previously unknown peers after IKE is completed.


crypto dynamic-map SNOOP 1

set transform-set DOG

match address 101


!Create crypto map l2tp (assigned to FastEthernet 0/0), using IKE for Security Associations , use "dynamic-map SNOOP as a template"


crypto map DR_DRE 1 ipsec-isakmp dynamic SNOOP


interface FastEthernet0/0

description Outside interface

ip address

no ip mroute-cache


no cdp enable

!Assign crypto map DR_DRE to interface

crypto map DR_DRE


interface FastEthernet1/0

description Inside interface

ip address

no ip redirects

no ip proxy-arp

no ip mroute-cache


no cdp enable


!Create virtual-template interface used for "cloning" virtual-access interfaces using address pool L2TP_POOL with chap authentication. Note, MS-CHAP is not supported with CiscoSecure for Unix.


interface Virtual-Template1

ip unnumbered FastEthernet0/0

no ip route-cache cef

ip mroute-cache

peer default ip address pool L2TP_POOL

ppp authentication chap


!Creates IP Pool name L2TP_Pool

ip local pool L2TP_POOL

ip classless

ip route

no ip http server


!Specifies L2TP traffic as interesting to use with IPSEC

access-list 101 permit udp host any eq 1701

Cisco Employee

Re: Windows XP To IOS VPN ?


Just wanted to point out that Windows XP also natively supports PPTP in addition to L2TP/IPSec client-initiated tunnels. The link below discusses IOS configuration for both.

Cisco Employee
CreatePlease to create content