Cisco Support Community
Community Member

How to setup a Cisco 877 router as a VPN server?

I've been trying for a while to setup my Cisco 877 router as a VPN server, in order to be able to access my nework from the outside.

My goal is to use standard Windows (or Linux) VPN client software to connect, without the need for Cisco VPN Client. Is this possible at all? I'd think so, but I've been unable to make it work.

Also, although I have quite a bit of Cisco routers/switchs experience, I'm very confused at the whole crypto/isakmp thing; I've read tons of documentation and tried out some configurations, but I just don't seem to have grasped enough of it.

My goals:

  • As I said, I want to be able to connect from any client system which natively supports VPNs, without the need for the Cisco VPN Client.
  • I want to use L2TP/IPSEC.
  • I want to use a pre-shared key (no certificates, please).
  • I want the router to assign internal IP addresses from a defined pool (no DHCP).
  • I want to use the router's own authentication (no RADIUS).
  • I want to be able to connect the same way from anywhere (no ACLs or custom VPN profiles based on peer address).

Some details about my configuration:

  • IOS version is "(C870-ADVIPSERVICESK9-M), Version 15.0(1)M"
  • The router has four Ethernet ports belonging to the default VLAN 1, where it has the IP address
  • The WAN interface is a PPP ADSL with a single (static but dynamically-assigned) public IP address; the external interface is Dialer0.
  • The router does NAT for the internal network.
  • The router is already using AAA, thus configured:

aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network default local

  • There is a single local user with privilege level 15, let's call it "username"; it's ok for me to use the same one for VPN access.

I can post samples of the various configurations I tried, but I'm not quite sure what is correct and what is not about them, so I'm not posting them for now; I will, if asked.

Can someone please provide me a working configuration for this setup?


Everyone's tags (7)

Re: How to setup a Cisco 877 router as a VPN server?


i dont have a working config with me but hope the below link helps u out..


Community Member

Re: How to setup a Cisco 877 router as a VPN server?

That covers almost every possible scenario... excluding my one! Amazing

It sure sheds some light... I'll do some other tests.

Howewer, if someone knows how to allow L2TP/IPSEC connections from Windows clients without using the VPN client, I'd appreciate it a lot

Cisco Employee

Re: How to setup a Cisco 877 router as a VPN server?

Hi Massimo,

It sounds like you're looking for this:

However, looking over the config on the link above it seems that they've omitted the local "username" command for PPP authentication.  Per the AAA commands, they are doing local user authentication for PPP (which the MS L2TP/IPSec employs).  So you would just need to add something like:

username L2TP_User password



Community Member

Re: How to setup a Cisco 877 router as a VPN server?

Hi Jeff,

the Cisco site says I can't access that link... even after logging on.

Cisco Employee

Re: How to setup a Cisco 877 router as a VPN server?

It should be able to open up after you login.  Try manually seraching for it on after you login.  The title is:

"L2TP-IPsec Support for NAT and PAT Windows Clients"

It's part of the official IOS config guide for 15.1 (also exists for other versions of IOS....they all should be the same article).

Let me know if this helps.



Community Member

Re: How to setup a Cisco 877 router as a VPN server?

Pretty tough request yours lol ...

I guess you can use webvpn which are deployed the following ways:

Clientless SSL VPN (WebVPN)—Provides a  remote client that requires an SSL-enabled Web browser to access HTTP or  HTTPS Webservers on a corporate local-area network

Thin-Client SSL VPN (Port Forwarding)—Provides a remote client that downloads a small Java-based applet and allows secure access for Transmission Control Protocol (TCP) applications that use static port numbers. Point of presence (POP3), Simple Mail Transfer Protocol (SMTP),  Internet Message Access Protocol (IMAP), secure shell (ssh), and Telnet are examples of secure access. Because files on the local machine change, users must have local administrative privileges to use this method. This  method of  SSL VPN does not work with applications that use dynamic port  assignments, such as some file transfer protocol (FTP) applications.

SSL VPN Client (SVC Full Tunnel Mode)—Downloads asmall client to the remote workstation and allows full secure access to resources on an internal corporate network. You can download the SVC to a remote workstation permanently, or you can remove the client once the secure session is closed.

These are the only way to do VPN server w/out the Cisco VPN client. Since you have the new model im 99,99% sure you can pick any method and it will work fine.

I personaly dont like the webvpn but in some cases they are the only way to access the remote.

CreatePlease to create content