How to configure Cisco IOS Remote Access IPSEC VPN


The Cisco IOS is a very versatile platform. You can use it to setup a remote access VPN solution without the need to deploy a Cisco ASA or any other dedicated solution.


Here’s how to setup a Remote Access IPsec VPN on the Cisco Router IOS platform

Step1. Define the authentication and authorization methods used.

In this case, we’re defining a new group called VPN which will use the local database for authenticating and authorizing the user.

aaa authorization login VPN local
aaa authorization network VPN local

Step2. Define the isakmp phase 1 policy to use.

We will be using pre-shared key for the phase 1 authentication.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

Step 3. Define the VPN client group profile.

We are going to name the group VPNGROUP. This is the group name that will be entered in the VPN client. Enter the preshared secret here, and a POOL name, which defines what IPs that will be handed out to the VPN clients. Then assign the name of the ACL that will be used to define the encrypted traffic that will be allowed through the VPN.

crypto isakmp client configuration group VPNGROUP
 key secret

Step 4. Create a the address Pool and the access-list used for traffic encryption

Setup the IP ranged to be assigned to the address pool. In this case the starting IP is and the last IP that can be assigned is

ip local pool VPNRAPOOL

Define the IP subnet that can be reached behind the VPN. Take special note on the direction of the traffic. You need to specify the traffic behind the router as the source address and the ip used in the VPN Pool as the destination.

ip access-list extended VPN_SPLIT
  permit ip

Step 5. Define the phase 2 encryption parameters ad assign it to the crypto dynamic-map<

Make sure to put in the reverse-route entry so that a static route is inserted into the router.

crypto ipsec transform-set T1 esp-3des esp-sha-hmac

crypto dynamic-map DYNMAP 10
 set transform-set T1

Step 6. Create a crypto map.

crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNMAP

Step 7. Lastly, assign the crypto map to the internet interface

interface FastEthernet0/0
 description Internet
 ip address dhcp
 speed auto
 crypto map VPN
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV