VPN L2TP client configuration โ Cisco Router IOS

Example configuration has been tested on Cisco 881 licensed advipservices
IOS: c880data-universalk9-mz.124-24.T4.bin
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
ip source-route
!
! exclusion of the router's LAN interface address from dhcp server
ip dhcp excluded-address 192.168.1.1
!
! dhcp server for LAN
ip dhcp pool DHCP-LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
!
vtp version 2
!
! configure vpn settings (phase 1) isakmp
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 4000
!
! type preshared key "vpnonline.pl" and ip address of vpn server
crypto isakmp key 0 vpnonline.pl address *ip address of vpn server*
!
!
! define transform-set settings for vpn connection (phase 2) IPsec
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
mode transport
!
!
! define crypto-mapy, ip address of vpn server, transform-set and access-list
crypto map L2TP-IPSEC 10 ipsec-isakmp
set peer *ip address of vpn server*
set transform-set ESP-AES256-SHA1
! access-list indicates what traffic will initiate vpn tunnel
match address L2TP-IPsec
!
archive
log config
hidekeys
!
! define pseudowire for l2tp connection
pseudowire-class pwclass1
encapsulation l2tpv2
ip local interface FastEthernet4
ip pmtu
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description interface WAN
ip address *public ip address*
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
! add crypto-map
crypto map L2TP-IPSEC
!
!
! create new vpn interface (ppp)
interface Virtual-PPP1
description interface VPN
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly max-reassemblies 64
no cdp enable
ppp authentication ms-chap-v2 callin
! type your username
ppp chap hostname *username*
! type your password
ppp chap password 0 *password*
! type ip address of vpn server
pseudowire *ip address of vpn server* 1 pw-class pwclass1
!
interface Vlan1
description interface LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
! add "Traffic-via-VPN-L2TP" route-map to LAN interface
ip policy route-map Traffic-via-VPN-L2TP
!
!
! configure NAT via route-map for local wan connection
ip nat inside source route-map NAT-via-Local-ISP interface FastEthernet4 overload
!
! configure NAT via route-map for vpn connection
ip nat inside source route-map NAT-via-VPN-L2TP interface Virtual-PPP1 overload
!
! define access-list for route-map "L2TP-IPSEC"
ip access-list extended L2TP-IPsec
permit udp host *WAN ip address host *ip address of vpn server* eq 1701
!
! define ip address which will be translated (NAT) via WAN interface to the Internet
! and exclude (deny) host ip addressfrom NAT via VPN
ip access-list extended NAT-Local-ISP
deny ip host 192.168.1.11 any
permit ip 192.168.1.0 0.0.0.255 any
!
! define ip address which will be translated (NAT) via Virtual-PPP ( VPN) interface to the Internet
ip access-list extended NAT-VPN-L2TP
permit ip 192.168.1.0 0.0.0.255 any
!
! define the ip addresses of the hosts which will be go out through the vpn to the Internet
! in this case, it will be one host 192.168.1.11, of course you can add more computers
ip access-list extended Traffic-via-VPN-L2TP
permit ip host 192.168.1.11 any
!
no cdp run
!
!
!
! configure route-map, which translate (NAT) traffic to the Internet via WAN
route-map NAT-via-Local-ISP permit 20
match ip address NAT-Local-ISP
match interface FastEthernet4
!
! configure route-map, which translate (NAT) traffic to the Internet via VPN
route-map NAT-via-VPN-L2TP permit 10
match ip address NAT-VPN-L2TP
match interface Virtual-PPP1
!
! configure route-map, which make routing to the vpn server and next to the internet
! route-map "Traffic-via-VPN-L2TP" przypinamy do interfejsu LAN
route-map Traffic-via-VPN-L2TP permit 10
match ip address Traffic-via-VPN-L2TP
! IP address of the gateway for the vpn client. We do not change this address for VPNonline !!!< />
set ip next-hop 10.100.201.254
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end
Version IOS 15.0 - If you will have a problem with authorization via mschapv2, delete this line "ppp authentication ms-chap-v2 callin"
from interface Virtual-PPP1 configuration.
interface Virtual-PPP1
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly max-reassemblies 64
ppp authentication ms-chap-v2 callin --- DELETE IF YOU HAVE A PROBLEM WITH AUTHORIZATION
ppp chap hostname vpnusername
ppp chap password 0 vpnpassword
no cdp enable
pseudowire 212.66.98.45 1 pw-class pwclass1