How to configure Cisco IOS Remote Access IPSEC VPN

TOPICS:cisco router ios remote access ipsec vpn phase1 phase2

Posted By: Alfred Tong June 17, 2011

Problem:

The Cisco IOS is a very versatile platform. You can use it to setup a remote access VPN solution without the need to deploy a Cisco ASA or any other dedicated solution.

Solution:

Here’s how to setup a Remote Access IPsec VPN on the Cisco Router IOS platform

Step1. Define the authentication and authorization methods used.

In this case, we’re defining a new group called VPN which will use the local database for authenticating and authorizing the user.

aaa authorization login VPN local
aaa authorization network VPN local

Step2. Define the isakmp phase 1 policy to use.

We will be using pre-shared key for the phase 1 authentication.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

Step 3. Define the VPN client group profile.

We are going to name the group VPNGROUP. This is the group name that will be entered in the VPN client. Enter the preshared secret here, and a POOL name, which defines what IPs that will be handed out to the VPN clients. Then assign the name of the ACL that will be used to define the encrypted traffic that will be allowed through the VPN.

crypto isakmp client configuration group VPNGROUP
 key secret
 dns 8.8.8.8
 pool VPNRAPOOL
 acl VPN_SPLIT

Step 4. Create a the address Pool and the access-list used for traffic encryption

Setup the IP ranged to be assigned to the address pool. In this case the starting IP is 10.100.3.1 and the last IP that can be assigned is 10.100.3.254

ip local pool VPNRAPOOL 10.100.3.1 10.100.3.254

Define the IP subnet that can be reached behind the VPN. Take special note on the direction of the traffic. You need to specify the traffic behind the router as the source address and the ip used in the VPN Pool as the destination.

ip access-list extended VPN_SPLIT
  permit ip 10.100.0.0 0.0.255.255 10.100.3.0 0.0.0.255

Step 5. Define the phase 2 encryption parameters ad assign it to the crypto dynamic-map<

Make sure to put in the reverse-route entry so that a static route is inserted into the router.

crypto ipsec transform-set T1 esp-3des esp-sha-hmac

crypto dynamic-map DYNMAP 10
 set transform-set T1
 reverse-route

Step 6. Create a crypto map.

crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNMAP

Step 7. Lastly, assign the crypto map to the internet interface

interface FastEthernet0/0
 description Internet
 ip address dhcp
 speed auto
 crypto map VPN

Alfred Tong

Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV

kelly
this is nice guide about cisco ipsec vpn, this remote access now cna work at me thanks for sharing this..
Zolee
Hello! This guise is very useful, thanks. I have a question, i would like to create an ipsec vpn in a cisco 2610 router (c2600-ik9o3s3-mz.123-26.bin), i have problem with NAT. After I configure the vpn the client got the ip, then it can ping an inside client, for example 192.168.100.100 , then 192.168.100.101, and after that if i try to ping 100.100 it failed. I created the vpn pool and that ips i NAT’d with overload. And from the router i can’t ping the connected vpn client.
I’m beginner in vpn so do you have some idea? Sorry for my bad english. Thank You.
- Zolee
  Hi! I solved! The problem was that i gave the ipsec pool ips to the nat config ( ip nat inside source list XXX interface eth 0/0 overload), but in the XXX list i had to deny the ips.
Pingback: Cisco Easy VPN Server en "CCIE en castellano"()
mcmaro
Hi. I did almost the same as you in this post and everything works fine with inside hosts. I mean when I terminate using VPN clinet to router I can ping inside hosts but I also want to ping outside host from public IP address space. But outside host are unreachable. I allow traffic in VPN_SPLIT and put additional line in NAT access-list (line where source is IP from VPNRAPOOL and as destination outside IP address – public IP). Any solution? Please help
- Alfred Tong
  It looks like there’s something wrong with your split tunnel. Traffic destined for hosts that are on the internet should not be going through your VPN, therefore you do not need any additional NAT statements. You might want to check your VPN_SPLIT access list and make sure you are not routing everything through. Do a traceroute on your PC to an outside IP address and confirm that you are not routing those IPs via the VPN.
  - mcmaro
    Ok. But if I want to push a traffic destined for hosts on the internet through VPN, what should I do? Maby not all but for specyfic hosts on the internet. Is it possible to do this?
    - Alfred Tong
      Yes it is possible to do this. What you are looking for is something called Hairpinning. It’s not discussed in this post. What it involves is a bit more complicated. I’ve only done this for routing all traffic but I assume it should work for selective hosts too. I don’t have the configuration handy but it requires you to setup a tunnel interface and setting up your next hop there. Take a look at this blog post http://glazenbakje.wordpress.com/2012/10/08/how-to-create-a-u-turn-on-a-cisco-ios-router-for-a-cisco-vpn-client/ . This should give you some pointers on what to do.
      - mcmaro
        Thank you very much. This is probably what I’m looking for. I will let you know is it work for me 🙂