Configure L2TP IPSec VPN Server On Cisco Router
[10:29 AM | 26 comments ]

Cisco router can be used as VPN server, using L2TP and IPSec, for client from internet accesing private network.

Below are steps for configuring L2TP IPSec on Cisco router,
1. Enable aaa authentication and create user,

aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
user cisco password cisco
2. Enable VPDN and configure VPDN group
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
3. Configure authentication methode.  Using pre-shared key is the best and simple methode.
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
4. Configure IPSec
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco
5. Create Vitrual_Template
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
6. Create IP Pool for user
ip local pool poolipnetconfig 172.31.1.1 172.31.1.6
7. Test your configuration

Complete configuration on Cisco router:
L2TP-Server#sh run
Building configuration...

Current configuration : 5669 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L2TP-Server
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$WMq0$BZpIxsWnzmEI0fCvWADGd0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name ipnetconfigs.com
ip name-server 192.168.0.1
ip ssh version 2
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
!
crypto pki trustpoint TP-self-signed-417945430
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-417945430
 revocation-check none
 rsakeypair TP-self-signed-417945430
!
!
crypto pki certificate chain TP-self-signed-417945430
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313739 34353433 30301E17 0D313030 33313331 30303434
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3431 37393435
  34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CBB11B58 6E347C78 1FB62626 0FD03CCB 5AA26CC3 A0E17634 B905978F DF0FCA60
  2A8CD0EE 1BF4428A 53F23038 7BF8C209 B0FEF57B 08233D2C F49826BB 938113DE
  C6D25DD0 E8AA51B0 F4BAE931 0C4C19A6 7657EB6F 4A0CF980 92C54B48 F927BF00
  1E3F25E1 A28EA8F6 B941BC0A E6F2FA20 6A73F969 A8B523F0 0B25C927 85C649BD
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
  1D110424 30228220 50504A2D 47572E6C 61646F6D 61696E2E 6C696E74 61736172
  74612E63 6F2E6964 301F0603 551D2304 18301680 14167006 97518BA4 E4F9BA7A
  82A17511 CE1A4870 8B301D06 03551D0E 04160414 16700697 518BA4E4 F9BA7A82
  A17511CE 1A48708B 300D0609 2A864886 F70D0101 04050003 8181006B D63609D0
  F61D11FF FB4CC38C 231FA679 B6A3AD68 DF7BEDC3 CCE85778 5D7E4FE7 ADFA6A8B
  4BBDED0F 20137B37 C445F0D9 14E55313 2553284B DCB49472 3E56BF3D 140F3E58
  047833BD 4F6D0719 29233D33 8F681B69 613FF4A5 B527E059 06B655E3 06BBFA37
  B3F43E6B 67DF84DF 5D3B0FC9 ECFB16E3 9AB4E1F1 D61D0523 A95A44
  quit
username root privilege 15 secret 5 $1$E1t3$.GKaPz1xFuph9r/fRqxTO.
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
!
!
ip local pool poolipnetconfig 172.31.1.1 172.31.1.6
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

L2TP-Server#
 For configuring L2TP IPSec on Windows 7, see my other post on this blog.

Related Posts

26 comments

Brad said... @ September 22, 2011 at 11:06 PM

Great example. Almost my setup exactly. I am having an issue where users connect but after a few seconds are disconnected. I can't find that this is a configuration issue.

admin said... @ October 7, 2011 at 2:31 PM

Hi, Brad, on Connection properties, Security, Data Encryption, use Optional Encryption

Anonymous said... @ October 14, 2011 at 1:02 PM

Great guide on setting up a VPN sever for a Cisco router it worked perfectly. Thanks
US VPN

Marshal Drake said... @ January 16, 2012 at 10:29 AM

This is definitely a great guide. Thanks for sharing your time to post this tutorial. I've just bookmarked it for future use.

data center

Anonymous said... @ May 10, 2012 at 9:49 AM

Hi, I would like to know which cisco router model you have configured for the L2TP VPN. Is the cisco router behind the other DSL router?
I have a Cisco UC520 router and I try to follow as above steps but I cannot log into to it from my computer (Windows 7).
Thanks for your helpings.

Anonymous said... @ May 31, 2012 at 1:58 PM

I am running a c1760 12.4(8) advipservicesk9-mz

aaa authorization exec default local <= Is not a valid command.

FA0/0 is my public interface connected to a cable modem.
VLan1 is my private interface.

With that your configuration doesnt work at all.

vpn service said... @ September 5, 2012 at 12:00 PM

Great post. Thanks for sharing.

Anonymous said... @ September 11, 2012 at 10:44 AM

Hi, This is a great post. It even works with native Android VPN.

But I find out that clients can connect with L2TP only (without IPSec) if they want to.

Any suggestions how it is possible to limit the connections to L2TPwithIPSec only?


For Windows to connect you need aaa authorization for network.

ex.:
aaa authorization network default local if-authenticated

Elkin Mauricio Piedrahita said... @ October 11, 2012 at 5:02 AM

Excellent, it's working fine

Anonymous said... @ October 10, 2013 at 11:16 PM

Very nice post and tutorial. But i'm getting error 789 on Windows 7 Client ... already turn off windows firewall ... but same error occurs. Any idea ? Thank you so much in advance

Anonymous said... @ October 11, 2013 at 12:04 AM

Thank you Anon September 11 ... without aaa authorization network default local if-authenticated windows 7 clients can't connect ;)

But i only got it work if i connect from local network

Everything is ok on the firewall, i have one external ip address that is mapped into the local ip of the router. No blocks on firewall, i can ping the external ip from external network, but only gave me the 809 error in windows 7. Any idea ?

لاعبه الجمباز said... @ June 14, 2015 at 12:17 AM

use waselpro vpn service on your mobile device with l2tp , its very fast and secured and very easy to use

http://www.openvpnandroid.com/l2tp-method-for-android-vpn/

Anonymous said... @ August 27, 2015 at 8:56 PM

Thanks for configuration.Good blog about configs.
top10-bestvpn.com

Unknown said... @ September 21, 2015 at 12:57 AM

Thanks a lot for your job.Good manual for VPN.
This configuration works good.
http://10webhostingservice.com/

rimi said... @ November 18, 2015 at 10:59 AM

really informative thanx

Anonymous said... @ December 24, 2015 at 2:16 PM

Thanks!!!good manual! This realy works

nimmi said... @ January 25, 2016 at 4:50 PM

very nice...thnks dear

mma238 said... @ October 31, 2016 at 2:53 PM

Thank you very much

It was very helpful for me.

Anonymous said... @ November 29, 2016 at 9:08 PM

I Did the configuration and i can successfully connect with VPN and get an ip as well but i cant ping any machines on the network.

Unknown said... @ December 1, 2016 at 10:54 AM

Great Guide, Works perfectly. Thanks

Anonymous said... @ January 17, 2017 at 2:28 PM

How do I do this with Xauth using local user database?

Anonymous said... @ January 24, 2017 at 5:20 AM

Hey Guys,

Could you please advise how can i reach my internal network once I'm connected?

MNK said... @ September 20, 2017 at 11:20 PM

hanks!!!good manual! This realy works SLM2008PT-NA

Cybexo Writes said... @ May 15, 2020 at 2:26 PM

There are too many environments and moments where you need a VPN, but to make some understanding of VPN usage, I will explain the most common reasons where many people are using it daily.

Reason Where You Need a VPN



admin said... @ January 21, 2021 at 5:18 PM

Wow what a Great Information about Config L2TP VPN its very nice informative post. thanks for the post.

FREE INTERNET CONFIG FOR ANDROID AND PC

Anonymous said... @ June 15, 2021 at 6:16 PM

hi, i didnt input any username and password. i also tried the default cisco cisco but authentication failed. can i get help?

Post a Comment