How to configure Cisco IOS Remote Access IPSEC VPN

TOPICS:

Posted By: Alfred Tong June 17, 2011


Problem:

The Cisco IOS is a very versatile platform. You can use it to setup a remote access VPN solution without the need to deploy a Cisco ASA or any other dedicated solution.

Solution:

Here’s how to setup a Remote Access IPsec VPN on the Cisco Router IOS platform

Step1. Define the authentication and authorization methods used.

In this case, we’re defining a new group called VPN which will use the local database for authenticating and authorizing the user.

aaa authorization login VPN local
aaa authorization network VPN local

Step2. Define the isakmp phase 1 policy to use.

We will be using pre-shared key for the phase 1 authentication.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

Step 3. Define the VPN client group profile.

We are going to name the group VPNGROUP. This is the group name that will be entered in the VPN client. Enter the preshared secret here, and a POOL name, which defines what IPs that will be handed out to the VPN clients. Then assign the name of the ACL that will be used to define the encrypted traffic that will be allowed through the VPN.

crypto isakmp client configuration group VPNGROUP
 key secret
 dns 8.8.8.8
 pool VPNRAPOOL
 acl VPN_SPLIT

Step 4. Create a the address Pool and the access-list used for traffic encryption

Setup the IP ranged to be assigned to the address pool. In this case the starting IP is 10.100.3.1 and the last IP that can be assigned is 10.100.3.254

ip local pool VPNRAPOOL 10.100.3.1 10.100.3.254

Define the IP subnet that can be reached behind the VPN. Take special note on the direction of the traffic. You need to specify the traffic behind the router as the source address and the ip used in the VPN Pool as the destination.

ip access-list extended VPN_SPLIT
  permit ip 10.100.0.0 0.0.255.255 10.100.3.0 0.0.0.255

Step 5. Define the phase 2 encryption parameters ad assign it to the crypto dynamic-map<

Make sure to put in the reverse-route entry so that a static route is inserted into the router.

crypto ipsec transform-set T1 esp-3des esp-sha-hmac

crypto dynamic-map DYNMAP 10
 set transform-set T1
 reverse-route

Step 6. Create a crypto map.

crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNMAP

Step 7. Lastly, assign the crypto map to the internet interface

interface FastEthernet0/0
 description Internet
 ip address dhcp
 speed auto
 crypto map VPN
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV