VPN L2TP client configuration – Cisco

 

schemat

 

Example configuration has been tested on Cisco 881 licensed advipservices

IOS: c880data-universalk9-mz.124-24.T4.bin

 

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
ip source-route
!
!  exclusion of the router's LAN interface address from  dhcp server
ip dhcp excluded-address 192.168.1.1
!
!  dhcp server for LAN
ip dhcp pool DHCP-LAN
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 208.67.222.222
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
!
vtp version 2
!
!  configure vpn settings (phase 1) isakmp
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 4000
!
! type preshared key "vpnonline.pl" and ip address of vpn server 
crypto isakmp key 0 vpnonline.pl address *ip address of vpn server*
!
!
!  define  transform-set settings for vpn connection (phase 2) IPsec
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!
!
!  define crypto-mapy, ip address of vpn server, transform-set and access-list
crypto map L2TP-IPSEC 10 ipsec-isakmp
 set peer *ip address of vpn server*
 set transform-set ESP-AES256-SHA1
!  access-list indicates what traffic will initiate vpn tunnel
 match address L2TP-IPsec
!
archive
 log config
  hidekeys
!
!  define pseudowire for l2tp connection
pseudowire-class pwclass1
 encapsulation l2tpv2
 ip local interface FastEthernet4
 ip pmtu
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description interface WAN
 ip address *public ip address*
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!  add crypto-map 
 crypto map L2TP-IPSEC
!
!
!  create new vpn interface (ppp)
interface Virtual-PPP1
 description interface VPN
 ip address negotiated
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly max-reassemblies 64
 no cdp enable
 ppp authentication ms-chap-v2 callin
!  type your username
 ppp chap hostname *username*
!  type your password
 ppp chap password 0 *password*
!  type ip address of vpn server
 pseudowire *ip address of vpn server* 1 pw-class pwclass1
!
interface Vlan1
 description interface LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
! add "Traffic-via-VPN-L2TP" route-map to LAN interface
 ip policy route-map Traffic-via-VPN-L2TP
!
!
!  configure NAT via route-map for local wan connection
ip nat inside source route-map NAT-via-Local-ISP interface FastEthernet4 overload
!
!  configure NAT via route-map for vpn connection
ip nat inside source route-map NAT-via-VPN-L2TP interface Virtual-PPP1 overload
!
!  define access-list for route-map "L2TP-IPSEC"
ip access-list extended L2TP-IPsec
 permit udp host *WAN ip address host *ip address of vpn server* eq 1701
!
!  define ip address which will be translated (NAT) via WAN interface to the Internet
!  and exclude (deny)  host ip addressfrom NAT via VPN
ip access-list extended NAT-Local-ISP
 deny   ip host 192.168.1.11 any
 permit ip 192.168.1.0 0.0.0.255 any
!
!  define ip address which will be translated (NAT) via Virtual-PPP ( VPN)  interface to the Internet
ip access-list extended NAT-VPN-L2TP
 permit ip 192.168.1.0 0.0.0.255 any
!
!  define the ip addresses of the hosts which will be go out through the vpn to the Internet
!  in this case, it will be one host 192.168.1.11, of course you can add more computers
ip access-list extended Traffic-via-VPN-L2TP
 permit ip host 192.168.1.11 any
!
no cdp run
!
!
!
!  configure route-map, which translate (NAT) traffic to the Internet via WAN
route-map NAT-via-Local-ISP permit 20
 match ip address NAT-Local-ISP
 match interface FastEthernet4
!
!  configure route-map, which translate (NAT) traffic to the Internet via VPN
route-map NAT-via-VPN-L2TP permit 10
 match ip address NAT-VPN-L2TP
 match interface Virtual-PPP1
!
!  configure route-map, which make routing to the vpn server and next to the internet
!  route-map "Traffic-via-VPN-L2TP" przypinamy do interfejsu LAN
route-map Traffic-via-VPN-L2TP permit 10
 match ip address Traffic-via-VPN-L2TP
!  IP address of the gateway for the vpn client. We do not change this address for VPNonline !!!< />
 set ip next-hop 10.100.201.254
!
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
end

 

Version IOS 15.0 – If you will have a problem with authorization via mschapv2, delete this line “ppp authentication ms-chap-v2 callin
from interface Virtual-PPP1 configuration.

interface Virtual-PPP1
 ip address negotiated
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly max-reassemblies 64
 ppp authentication ms-chap-v2 callin  --- DELETE IF YOU HAVE A PROBLEM WITH AUTHORIZATION
 ppp chap hostname vpnusername
 ppp chap password 0 vpnpassword
 no cdp enable
 pseudowire 212.66.98.45 1 pw-class pwclass1

 

In the attached file you will find configuration without descriptions: konfiguracja Cisco L2TP

 

 

If you have any problem with the configuration of the connection, write to us: support@vpnonline.pl

 

Comments are closed.