Cisco router can be used as VPN server, using L2TP and IPSec, for client from internet accesing private network.

Below are steps for configuring L2TP IPSec on Cisco router,
1. Enable aaa authentication and create user,

aaa new-model

aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local

user cisco password cisco

2. Enable VPDN and configure VPDN group

vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication

3. Configure authentication methode.  Using pre-shared key is the best and simple methode.

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600

4. Configure IPSec

crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map

interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco

5. Create Vitrual_Template

interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2

6. Create IP Pool for user

ip local pool poolipnetconfig 172.31.1.1 172.31.1.6

7. Test your configuration

Complete configuration on Cisco router:

L2TP-Server#sh run
Building configuration...

Current configuration : 5669 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L2TP-Server
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$WMq0$BZpIxsWnzmEI0fCvWADGd0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name ipnetconfigs.com
ip name-server 192.168.0.1
ip ssh version 2
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
!
crypto pki trustpoint TP-self-signed-417945430
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-417945430
 revocation-check none
 rsakeypair TP-self-signed-417945430
!
!
crypto pki certificate chain TP-self-signed-417945430
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313739 34353433 30301E17 0D313030 33313331 30303434
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3431 37393435
  34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CBB11B58 6E347C78 1FB62626 0FD03CCB 5AA26CC3 A0E17634 B905978F DF0FCA60
  2A8CD0EE 1BF4428A 53F23038 7BF8C209 B0FEF57B 08233D2C F49826BB 938113DE
  C6D25DD0 E8AA51B0 F4BAE931 0C4C19A6 7657EB6F 4A0CF980 92C54B48 F927BF00
  1E3F25E1 A28EA8F6 B941BC0A E6F2FA20 6A73F969 A8B523F0 0B25C927 85C649BD
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
  1D110424 30228220 50504A2D 47572E6C 61646F6D 61696E2E 6C696E74 61736172
  74612E63 6F2E6964 301F0603 551D2304 18301680 14167006 97518BA4 E4F9BA7A
  82A17511 CE1A4870 8B301D06 03551D0E 04160414 16700697 518BA4E4 F9BA7A82
  A17511CE 1A48708B 300D0609 2A864886 F70D0101 04050003 8181006B D63609D0
  F61D11FF FB4CC38C 231FA679 B6A3AD68 DF7BEDC3 CCE85778 5D7E4FE7 ADFA6A8B
  4BBDED0F 20137B37 C445F0D9 14E55313 2553284B DCB49472 3E56BF3D 140F3E58
  047833BD 4F6D0719 29233D33 8F681B69 613FF4A5 B527E059 06B655E3 06BBFA37
  B3F43E6B 67DF84DF 5D3B0FC9 ECFB16E3 9AB4E1F1 D61D0523 A95A44
  quit
username root privilege 15 secret 5 $1$E1t3$.GKaPz1xFuph9r/fRqxTO.
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
!
!
ip local pool poolipnetconfig 172.31.1.1 172.31.1.6
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

L2TP-Server#

 For configuring L2TP IPSec on Windows 7, see my other post on this blog.

This post will describe how to create VPN Client using L2TP and IPSec on Windows 7.


1. Go to Control Panel --> Network and Sharing Center.  Choose Set up new connection or network.  Click Next.

2. Choose Connect to a workplace

3. Choose create new connection. Click Next.

4. Choose Use My Internet Connection (VPN).

5. Fill IP Address of your VPN Server and the name of connection.  Click Next.

6. Fill user name and password of your connection.  Click Connect.

After this point, you still cannot connect to your VPN Server.  You need to configure pre-shared key for IPSec.

7. Open Control Panel --> Network and Sharing Center.  Choose Change Adapter Setting

8. Right click your VPN connection, choose Properties.

9. On your VPN Properties, click Security Tab, on Type of VPN, choose Layer 2 Tunneling Protocol With IPSec (L2TP/IPSec).  On Data Encryption, choose Require encryption.  Click Advanced settings.

10. On Advanced Properties, L2TP section, choose Used preshared key for authentication.  Click OK.

11. Click OK again.  You can now test your connection using L2TP and IPSec VPN.

This post will describe how to create VPN Client using PPTP on Windows 7.

1. Go to Control Panel --> Network and Sharing Center.  Choose Set up new connection or network.  Click Next.

2. Choose Connect to a workplace

3. Choose create new connection. Click Next.

4. Choose Use My Internet Connection (VPN).

5. Fill IP Address of your VPN Server and the name of connection.  Click Next.

6. Fill user name and password of your connection.  Click Connect.

If you cannot connect to VPN PPTP Server, then maybe you need to adjust encryption.

7. Open Control Panel --> Network and Sharing Center.  Choose Change Adapter Setting

8. Right click your VPN connection, choose Properties.

9. On your VPN Properties, click Security Tab, on Data Encryption, choose No encryption allowed.  Click OK.