01-13-2003 02:24 PM - edited 02-21-2020 12:16 PM
Hello,
I was wondering if it's possible to set up a VPN connection between a Windows XP client and a Cisco IOS router. Where can I find an example to achieve this ? I'm using a Cisco 2620 router with IOS 12.2(13) (3DES).
Thanks,
Bram
01-13-2003 03:20 PM
Yes you can, although the setup on the PC is not overly user-friendly. You have to do L2TP/IPsec as this is what Windows does. Don't have a sample config for this specifically, but this shows you how to set up the PC side of things:
http://www.cisco.com/warp/public/471/vpn3k_l2tp.html
The router config will look like the following:
!Enable vpdn
vpdn enable
no vpdn logging
!
! Default L2TP VPDN group
vpdn-group 1
!
!Configure vpdn group 1 to accept an open tunnel request from remote peers, defines L2TP as the protocol, and identifies virtual-template 1 to use for cloning virtual access interfaces, disable tunnel authentication
!
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!Creates IKE policy 1, which would be given highest priority if there were additional IKE policies. Specifies policy using Pre Shared Key for authentication, specifies lifetime, key and all source addresses. Note default policy uses DES encryption with Secure Hash Standard, Diffie-Hellman group 1. See "show crypto isakmp policy" below. These settings should match the Windows client General Tab settings shown in the screen captures above.
!
crypto isakmp policy 1
authentication pre-share
lifetime 28800
crypto isakmp key CISCORULES address 0.0.0.0
!
!Create IPSEC transform set named DOG using DES for ESP and ESP with the MD5 (HMAC variant) authentication algorithm with transport mode. Note, AH is not used. These settings correspond to the WindoZe client IPSEC_Filter settings above.
!
crypto ipsec transform-set DOG esp-des esp-md5-hmac
mode transport
!
!Create dynamic map named SNOOP, specify access list 101 which is used to determine which traffic (L2TP), is to be protected by IPSec. Dynamic crypto maps accept requests for new Security Associations from previously unknown peers after IKE is completed.
!
crypto dynamic-map SNOOP 1
set transform-set DOG
match address 101
!
!Create crypto map l2tp (assigned to FastEthernet 0/0), using IKE for Security Associations , use "dynamic-map SNOOP as a template"
!
crypto map DR_DRE 1 ipsec-isakmp dynamic SNOOP
!
interface FastEthernet0/0
description Outside interface
ip address 200.1.1.1 255.255.255.0
no ip mroute-cache
full-duplex
no cdp enable
!Assign crypto map DR_DRE to interface
crypto map DR_DRE
!
interface FastEthernet1/0
description Inside interface
ip address 172.16.53.1 255.255.255.0
no ip redirects
no ip proxy-arp
no ip mroute-cache
half-duplex
no cdp enable
!
!Create virtual-template interface used for "cloning" virtual-access interfaces using address pool L2TP_POOL with chap authentication. Note, MS-CHAP is not supported with CiscoSecure for Unix.
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no ip route-cache cef
ip mroute-cache
peer default ip address pool L2TP_POOL
ppp authentication chap
!
!Creates IP Pool name L2TP_Pool
ip local pool L2TP_POOL 172.16.53.152 172.16.53.200
ip classless
ip route 0.0.0.0 0.0.0.0 200.1.1.2
no ip http server
!
!Specifies L2TP traffic as interesting to use with IPSEC
access-list 101 permit udp host 200.1.1.1 any eq 1701
01-13-2003 04:03 PM
Bram,
Just wanted to point out that Windows XP also natively supports PPTP in addition to L2TP/IPSec client-initiated tunnels. The link below discusses IOS configuration for both.
01-13-2003 04:04 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: