I've been trying for a while to setup my Cisco 877 router as a VPN server, in order to be able to access my nework from the outside.
My goal is to use standard Windows (or Linux) VPN client software to connect, without the need for Cisco VPN Client. Is this possible at all? I'd think so, but I've been unable to make it work.
Also, although I have quite a bit of Cisco routers/switchs experience, I'm very confused at the whole crypto/isakmp thing; I've read tons of documentation and tried out some configurations, but I just don't seem to have grasped enough of it.
As I said, I want to be able to connect from any client system which natively supports VPNs, without the need for the Cisco VPN Client.
I want to use L2TP/IPSEC.
I want to use a pre-shared key (no certificates, please).
I want the router to assign internal IP addresses from a defined pool (no DHCP).
I want to use the router's own authentication (no RADIUS).
I want to be able to connect the same way from anywhere (no ACLs or custom VPN profiles based on peer address).
Some details about my configuration:
IOS version is "(C870-ADVIPSERVICESK9-M), Version 15.0(1)M"
The router has four Ethernet ports belonging to the default VLAN 1, where it has the IP address 192.168.42.1/24.
The WAN interface is a PPP ADSL with a single (static but dynamically-assigned) public IP address; the external interface is Dialer0.
The router does NAT for the internal network.
The router is already using AAA, thus configured:
aaa authentication login default local aaa authorization console aaa authorization exec default local aaa authorization network default local
There is a single local user with privilege level 15, let's call it "username"; it's ok for me to use the same one for VPN access.
I can post samples of the various configurations I tried, but I'm not quite sure what is correct and what is not about them, so I'm not posting them for now; I will, if asked.
Can someone please provide me a working configuration for this setup?
However, looking over the config on the link above it seems that they've omitted the local "username" command for PPP authentication. Per the AAA commands, they are doing local user authentication for PPP (which the MS L2TP/IPSec employs). So you would just need to add something like:
Thin-Client SSL VPN (Port Forwarding)—Provides a remote client that downloads a small Java-based applet and allows secure access for Transmission Control Protocol (TCP) applications that use static port numbers. Point of presence (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), secure shell (ssh), and Telnet are examples of secure access. Because files on the local machine change, users must have local administrative privileges to use this method. This method of SSL VPN does not work with applications that use dynamic port assignments, such as some file transfer protocol (FTP) applications.
SSL VPN Client (SVC Full Tunnel Mode)—Downloads asmall client to the remote workstation and allows full secure access to resources on an internal corporate network. You can download the SVC to a remote workstation permanently, or you can remove the client once the secure session is closed.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...