I’ve been playing with a Cisco 2600 router to configure VPN over PPTP or L2TP with Microsoft Active Directory. I tried both configurations because PPTP is faster than L2TP, but L2TP is a lot more secure. I strongly recommend not to deploy PPTP with the configuration below in a production environment because typical Active Directory passwords are insecure and very easy to break via a simple brute force attack.
PPTP IOS Configuration:
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec ! hostname c2600 ! enable secret 5 encoded_password ! aaa new-model ! aaa authentication login default local enable aaa authentication ppp default group radius local aaa authorization network default group radius if-authenticated ! aaa session-id common ! resource policy ! memory-size iomem 15 ip cef ! ip domain name arbuz.com ip ssh authentication-retries 2 ip ssh version 2 vpdn enable ! vpdn-group VPN ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! username testuser password 0 testpassword ! interface FastEthernet0/0 description External Network ip address 11.22.33.44 255.255.255.0 ip access-group 100 in no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly no ip mroute-cache duplex auto speed auto no cdp enable ! interface FastEthernet0/1 description Internal Network ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip mroute-cache speed auto full-duplex no cdp enable no mop enabled ! interface Virtual-Template1 ip unnumbered FastEthernet0/1 peer default ip address pool vpn_pool ppp encrypt mppe 128 required ppp authentication ms-chap-v2 ! ip local pool vpn_pool 192.168.1.200 192.168.100.250 ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! no ip http server no ip http secure-server ip nat translation timeout 30 ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 remark Permit NAT traffic from 192.168.1.0/24 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 remark Permit SSH traffic for 192.168.1.0/24 and deny everything else access-list 2 permit 192.168.1.0 0.0.0.255 access-list 2 deny any access-list 100 remark Disallow telnet and ssh access from outside access-list 100 deny tcp any any eq telnet access-list 100 deny tcp any any eq 22 access-list 100 permit ip any any ! radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key ChangeMe ! control-plane ! line con 0 line aux 0 line vty 0 4 access-class 2 in password generlc transport input ssh transport output ssh ! end
L2TP IOS Configuration:
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec ! hostname c2600 ! enable secret 5 encoded_password ! aaa new-model ! aaa authentication login default local enable aaa authentication ppp default group radius local aaa authorization network default group radius if-authenticated ! aaa session-id common ! resource policy ! memory-size iomem 15 ip cef ! ip domain name arbuz.com ip ssh authentication-retries 2 ip ssh version 2 vpdn enable ! vpdn-group VPN ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! username testuser password 0 testpassword ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key aVeryLongPreSharedPassword address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set ccsp esp-3des esp-sha-hmac mode transport ! crypto dynamic-map cc 10 set nat demux set transform-set ccsp ! crypto map cisco 10 ipsec-isakmp dynamic cc ! interface FastEthernet0/0 description External Network ip address 11.22.33.44 255.255.255.0 ip access-group 100 in ip nat outside ip virtual-reassembly no ip mroute-cache duplex auto speed auto no cdp enable crypto map cisco ! interface FastEthernet0/1 description Internal Network ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip mroute-cache speed auto full-duplex no cdp enable no mop enabled ! interface Virtual-Template1 ip unnumbered FastEthernet0/1 peer default ip address pool vpn_pool ppp encrypt mppe 128 required ppp authentication ms-chap-v2 ! ip local pool vpn_pool 192.168.1.200 192.168.100.250 ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! no ip http server no ip http secure-server ip nat translation timeout 30 ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 remark Permit NAT traffic from 192.168.1.0/24 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 remark Permit SSH traffic for 192.168.1.0/24 and deny everything else access-list 2 permit 192.168.1.0 0.0.0.255 access-list 2 deny any access-list 100 remark Disallow telnet and ssh access from outside access-list 100 deny tcp any any eq telnet access-list 100 deny tcp any any eq 22 access-list 100 permit ip any any ! radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key ChangeMe ! control-plane ! line con 0 line aux 0 line vty 0 4 access-class 2 in password generlc transport input ssh transport output ssh ! end
Don’t forget to change the passwords above and your Active Directory-enabled RADIUS (IAS) server’s IP address (the line that starts with “radius-server”).
About Nasim Mansurov
Hi,
Thanks for this configuration, I have followed this config but can still not get this to work?
I am not using a RADIUS server or AD, all users are local to the router.
I have configured the IPSec key in the Windows VPN client aswell, is there anything I am missing?
Thanks for you help.
Try using “aaa authentication ppp default local” instead of “aaa authentication ppp default group radius local”. You don’t have a RADIUS server, right? try going to
http://www.parkansky.com/tutorials/pptp.htm
It has a config with explanation lines marked with a “!”. I was able to set up a VPN server on my 831 in 15 minutes or less on the first try. Remember to use the “?” when entering the commands so you’ll know what they mean. I was able to play with the authentication method PAP instead of MS-CHAP.
I am trying to accomplish a similar feet but only with L2TP and not the PPTP stuff so what isn’t required for L2TP. Any advice? I’ve been working on it here: http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23070836.html
I would prefer not to use a radius server if at all possible and would like to allow the remote VPN clients the ability to communicate with the internal networks.
Thanks
Hi, this is anil. it a good content you provide here .
Hi,
I can’t be more gratefull for this article.
I was really in trouble implementing an L2TP solution, and dispite most of Cisco official documentation about L2TP, your tutorial really helped me a lot!