Cisco IOS VPN - PPTP & L2TP + NAT with Microsoft Active Directory | Go Back
I’ve been playing with a Cisco 2600 router to configure VPN over PPTP or L2TP with Microsoft Active Directory. I tried both configurations because PPTP is faster than L2TP, but L2TP is a lot more secure. I strongly recommend not to deploy PPTP with the configuration below in a production environment because typical Active Directory passwords are insecure and very easy to break via a simple brute force attack.
PPTP IOS Configuration:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname c2600
!
enable secret 5 encoded_password
!
aaa new-model
!
aaa authentication login default local enable
aaa authentication ppp default group radius local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
ip cef
!
ip domain name arbuz.com
ip ssh authentication-retries 2
ip ssh version 2
vpdn enable
!
vpdn-group VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
username testuser password 0 testpassword
!
interface FastEthernet0/0
description External Network
ip address 11.22.33.44 255.255.255.0
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool vpn_pool
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
!
ip local pool vpn_pool 192.168.1.200 192.168.100.250
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
ip nat translation timeout 30
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark Permit NAT traffic from 192.168.1.0/24
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Permit SSH traffic for 192.168.1.0/24 and deny everything else
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark Disallow telnet and ssh access from outside
access-list 100 deny tcp any any eq telnet
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
!
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key ChangeMe
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
password generlc
transport input ssh
transport output ssh
!
end
L2TP IOS Configuration:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname c2600
!
enable secret 5 encoded_password
!
aaa new-model
!
aaa authentication login default local enable
aaa authentication ppp default group radius local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
ip cef
!
ip domain name arbuz.com
ip ssh authentication-retries 2
ip ssh version 2
vpdn enable
!
vpdn-group VPN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username testuser password 0 testpassword
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key aVeryLongPreSharedPassword address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map cc 10
set nat demux
set transform-set ccsp
!
crypto map cisco 10 ipsec-isakmp dynamic cc
!
interface FastEthernet0/0
description External Network
ip address 11.22.33.44 255.255.255.0
ip access-group 100 in
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map cisco
!
interface FastEthernet0/1
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool vpn_pool
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
!
ip local pool vpn_pool 192.168.1.200 192.168.100.250
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
ip nat translation timeout 30
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark Permit NAT traffic from 192.168.1.0/24
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Permit SSH traffic for 192.168.1.0/24 and deny everything else
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark Disallow telnet and ssh access from outside
access-list 100 deny tcp any any eq telnet
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
!
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key ChangeMe
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
password generlc
transport input ssh
transport output ssh
!
end
Don’t forget to change the passwords above and your Active Directory-enabled RADIUS (IAS) server’s IP address (the line that starts with “radius-server”).
October 1st, 2007 at 6:54 pm
Hi,
Thanks for this configuration, I have followed this config but can still not get this to work?
I am not using a RADIUS server or AD, all users are local to the router.
I have configured the IPSec key in the Windows VPN client aswell, is there anything I am missing?
Thanks for you help.
October 2nd, 2007 at 3:22 pm
Try using “aaa authentication ppp default local” instead of “aaa authentication ppp default group radius local”. You don’t have a RADIUS server, right? try going to
http://www.parkansky.com/tutorials/pptp.htm
It has a config with explanation lines marked with a “!”. I was able to set up a VPN server on my 831 in 15 minutes or less on the first try. Remember to use the “?” when entering the commands so you’ll know what they mean. I was able to play with the authentication method PAP instead of MS-CHAP.
January 9th, 2008 at 9:01 pm
I am trying to accomplish a similar feet but only with L2TP and not the PPTP stuff so what isn’t required for L2TP. Any advice? I’ve been working on it here: http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23070836.html
I would prefer not to use a radius server if at all possible and would like to allow the remote VPN clients the ability to communicate with the internal networks.
Thanks
April 13th, 2008 at 3:49 pm
Hi, this is anil. it a good content you provide here .