Thursday, 18 June 2009

Router to Cisco VPN Client

Fairly similar to the Router to Router, but it does have some key differences.

1) As we are using ACS we need to set that up:

aaa new-model
aaa authentication login USERAUTH group radius
aaa authorization network GROUPAUTH local
radius-server host auth-port 1645 acct-port 1646 key cisco123

2) Define ISAKMP policy

crypto isakmp policy 110
encr 3des
authentication pre-share
group 2

3) Set up group configuration:

crypto isakmp client configuration group VPNGROUP
key letmeinvpngroup
domain cisco.local

4) Define IPPOOL

ip local pool IPPOOL


ip access-list extended SPLIT_TUNNEL
permit ip
permit ip
permit ip
permit ip
permit ip
permit ip
permit ip host
permit ip host
permit ip host
permit ip host

6)Set up Transform Set:

crypto ipsec transform-set USER_TRANSFORM esp-3des esp-sha-hmac

7)Set up Dynamic Map:

crypto dynamic-map DYNAMAP 10
set transform-set USER_TRANSFORM

8) Bring it all together with a Crypto Map:

crypto map CLIENTMAP client authentication list USERAUTH
crypto map CLIENTMAP isakmp authorization list GROUPAUTH
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMAP

9) Finally Apply it to the interface:

interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CLIENTMAP

10) Set up VPN client:
Group name is from this line above:
crypto isakmp client configuration group VPNGROUP
and the password is from this line:
key letmeinvpngroup

11) Set up ACS:

12) Adding a user to ACS is too easy for a picture, you will have to work that one out yourself :)


Bradley White said...

Great article.Thank you.

Richard B. McCall said...

Thanks a lot.Nice post about solution for VPN client.
Cool configuration for Cisco router.

alfred03white said...

Such a nice and informative post. Glad that you shared it here. Anyways, I was just trying to find best china vpn service for android devices and came across this post. I haven’t found any good service yet. It will be great if you can help by suggesting.