cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
394
Views
0
Helpful
3
Replies

Windows XP To IOS VPN ?

bsmout
Level 1
Level 1

Hello,

I was wondering if it's possible to set up a VPN connection between a Windows XP client and a Cisco IOS router. Where can I find an example to achieve this ? I'm using a Cisco 2620 router with IOS 12.2(13) (3DES).

Thanks,

Bram

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

Yes you can, although the setup on the PC is not overly user-friendly. You have to do L2TP/IPsec as this is what Windows does. Don't have a sample config for this specifically, but this shows you how to set up the PC side of things:

http://www.cisco.com/warp/public/471/vpn3k_l2tp.html

The router config will look like the following:

!Enable vpdn

vpdn enable

no vpdn logging

!

! Default L2TP VPDN group

vpdn-group 1

!

!Configure vpdn group 1 to accept an open tunnel request from remote peers, defines L2TP as the protocol, and identifies virtual-template 1 to use for cloning virtual access interfaces, disable tunnel authentication

!

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

!Creates IKE policy 1, which would be given highest priority if there were additional IKE policies. Specifies policy using Pre Shared Key for authentication, specifies lifetime, key and all source addresses. Note default policy uses DES encryption with Secure Hash Standard, Diffie-Hellman group 1. See "show crypto isakmp policy" below. These settings should match the Windows client General Tab settings shown in the screen captures above.

!

crypto isakmp policy 1

authentication pre-share

lifetime 28800

crypto isakmp key CISCORULES address 0.0.0.0

!

!Create IPSEC transform set named DOG using DES for ESP and ESP with the MD5 (HMAC variant) authentication algorithm with transport mode. Note, AH is not used. These settings correspond to the WindoZe client IPSEC_Filter settings above.

!

crypto ipsec transform-set DOG esp-des esp-md5-hmac

mode transport

!

!Create dynamic map named SNOOP, specify access list 101 which is used to determine which traffic (L2TP), is to be protected by IPSec. Dynamic crypto maps accept requests for new Security Associations from previously unknown peers after IKE is completed.

!

crypto dynamic-map SNOOP 1

set transform-set DOG

match address 101

!

!Create crypto map l2tp (assigned to FastEthernet 0/0), using IKE for Security Associations , use "dynamic-map SNOOP as a template"

!

crypto map DR_DRE 1 ipsec-isakmp dynamic SNOOP

!

interface FastEthernet0/0

description Outside interface

ip address 200.1.1.1 255.255.255.0

no ip mroute-cache

full-duplex

no cdp enable

!Assign crypto map DR_DRE to interface

crypto map DR_DRE

!

interface FastEthernet1/0

description Inside interface

ip address 172.16.53.1 255.255.255.0

no ip redirects

no ip proxy-arp

no ip mroute-cache

half-duplex

no cdp enable

!

!Create virtual-template interface used for "cloning" virtual-access interfaces using address pool L2TP_POOL with chap authentication. Note, MS-CHAP is not supported with CiscoSecure for Unix.

!

interface Virtual-Template1

ip unnumbered FastEthernet0/0

no ip route-cache cef

ip mroute-cache

peer default ip address pool L2TP_POOL

ppp authentication chap

!

!Creates IP Pool name L2TP_Pool

ip local pool L2TP_POOL 172.16.53.152 172.16.53.200

ip classless

ip route 0.0.0.0 0.0.0.0 200.1.1.2

no ip http server

!

!Specifies L2TP traffic as interesting to use with IPSEC

access-list 101 permit udp host 200.1.1.1 any eq 1701

jelloyd
Cisco Employee
Cisco Employee

Bram,

Just wanted to point out that Windows XP also natively supports PPTP in addition to L2TP/IPSec client-initiated tunnels. The link below discusses IOS configuration for both.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: