Re: How to setup a Cisco 877 router as a VPN server?

MassimoPascucci · ‎04-27-2010

I've been trying for a while to setup my Cisco 877 router as a VPN server, in order to be able to access my nework from the outside.

My goal is to use standard Windows (or Linux) VPN client software to connect, without the need for Cisco VPN Client. Is this possible at all? I'd think so, but I've been unable to make it work.

Also, although I have quite a bit of Cisco routers/switchs experience, I'm very confused at the whole crypto/isakmp thing; I've read tons of documentation and tried out some configurations, but I just don't seem to have grasped enough of it.

My goals:

As I said, I want to be able to connect from any client system which natively supports VPNs, without the need for the Cisco VPN Client.
I want to use L2TP/IPSEC.
I want to use a pre-shared key (no certificates, please).
I want the router to assign internal IP addresses from a defined pool (no DHCP).
I want to use the router's own authentication (no RADIUS).
I want to be able to connect the same way from anywhere (no ACLs or custom VPN profiles based on peer address).

Some details about my configuration:

IOS version is "(C870-ADVIPSERVICESK9-M), Version 15.0(1)M"
The router has four Ethernet ports belonging to the default VLAN 1, where it has the IP address 192.168.42.1/24.
The WAN interface is a PPP ADSL with a single (static but dynamically-assigned) public IP address; the external interface is Dialer0.
The router does NAT for the internal network.
The router is already using AAA, thus configured:

aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network default local

There is a single local user with privilege level 15, let's call it "username"; it's ok for me to use the same one for VPN access.

I can post samples of the various configurations I tried, but I'm not quite sure what is correct and what is not about them, so I'm not posting them for now; I will, if asked.

Can someone please provide me a working configuration for this setup?

Thanks

spremkumar · ‎04-27-2010

hi

i dont have a working config with me but hope the below link helps u out..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

regds

MassimoPascucci · ‎04-27-2010

That covers almost every possible scenario... excluding my one! Amazing

It sure sheds some light... I'll do some other tests.

Howewer, if someone knows how to allow L2TP/IPSEC connections from Windows clients without using the VPN client, I'd appreciate it a lot

jelloyd · ‎04-27-2010

Hi Massimo,

It sounds like you're looking for this:

http://www.cisco.com/en/US/partner/docs/ios/sec_secure_connectivity/configuration/guide/sec_l2tp_nat_pat_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1047641

However, looking over the config on the link above it seems that they've omitted the local "username" command for PPP authentication. Per the AAA commands, they are doing local user authentication for PPP (which the MS L2TP/IPSec employs). So you would just need to add something like:

username L2TP_User password

HTH,

-Jeff

MassimoPascucci · ‎04-28-2010

Hi Jeff,

the Cisco site says I can't access that link... even after logging on.

jelloyd · ‎04-28-2010

It should be able to open up after you login. Try manually seraching for it on www.cisco.com after you login. The title is:

"L2TP-IPsec Support for NAT and PAT Windows Clients"

It's part of the official IOS config guide for 15.1 (also exists for other versions of IOS....they all should be the same article).

Let me know if this helps.

Thanks,

-Jeff

Rodrigo Gurriti · ‎04-28-2010

Pretty tough request yours lol ...

I guess you can use webvpn which are deployed the following ways:

Clientless SSL VPN (WebVPN)—Provides a remote client that requires an SSL-enabled Web browser to access HTTP or HTTPS Webservers on a corporate local-area network

http://cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml

Thin-Client SSL VPN (Port Forwarding)—Provides a remote client that downloads a small Java-based applet and allows secure access for Transmission Control Protocol (TCP) applications that use static port numbers. Point of presence (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), secure shell (ssh), and Telnet are examples of secure access. Because files on the local machine change, users must have local administrative privileges to use this method. This method of SSL VPN does not work with applications that use dynamic port assignments, such as some file transfer protocol (FTP) applications.

http://cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml

SSL VPN Client (SVC Full Tunnel Mode)—Downloads asmall client to the remote workstation and allows full secure access to resources on an internal corporate network. You can download the SVC to a remote workstation permanently, or you can remove the client once the secure session is closed.

http://cisco.com/en/US/products/ps6496/products_configuration_example09186a0080720346.shtml

These are the only way to do VPN server w/out the Cisco VPN client. Since you have the new model im 99,99% sure you can pick any method and it will work fine.

I personaly dont like the webvpn but in some cases they are the only way to access the remote.