SolutionBase: Using a Cisco IOS router as a VPN server

by Guest Contributor | Nov 11, 2005 8:00:00 AM

Tags: David Davis CCIE, MCSE+I, SCSA

Takeaway: If you want to provide remote access to your network for traveling users, you don't have to spend a lot of money on a dedicated VPN server. If you've already got a Cisco IOS router, all you have to do is make the changes described in this article.

As Cisco routers have about 85% of the router market, most businesses today have a Cisco router connecting them to the Internet. So, why not use that router for more than just routing? What if it could be a VPN server to connect roaming users with laptops or home PC's back into your business network? This article will explain to you how to do just that.

A router as a VPN Server?!

Your first objection to using a Cisco router as a VPN server might be that you don't want to have to install the Cisco VPN client software on all the remote PC's. Every Windows PC comes with a VPN client already, so you, like me, probably want to just use that. By using the already installed client, you save on the time it would take to train users to download and configure a different VPN client. Thus, you will use the built-in Microsoft VPN client to connect to our VPN server.

Author's note

The configuration on your existing Internet router may be complex. This download can't address all the possible configurations you may already have in place.

By the way, for your IOS router to act as a VPN server, at all, you will need the DES or 3DES versions of the IOS. These are the versions that offer encryption, including the PPTP encryption we are using in the configurations below. The DES or 3DES versions will have a k8 or k9 in the filename of the IOS. These features must be licensed from Cisco and are not free, unless you already own that version of the IOS.

For the purposes of this demonstration, we will be using a Cisco 2610 router as a basic PPTP VPN server. We will be demonstrating this using a local username/password database. The functionality is included to have the Cisco router go to a RADIUS server (like Microsoft IAS server) and authenticate with Windows Active Directory (AD) usernames/passwords. That type of configuration would be ideal with any more than a handful of VPN users. However, that configuration is more complex than this entry-level document will cover. For more information is, Cisco has published a document that covers using a Cisco IOS router with a MS IAS server for VPN.

Configuring the router

The biggest question you may have after reviewing this configuration is- how does this fit in with your firewall? Well, you can use a Cisco router as a firewall to with something called CBAC (Context-based access control). This is also known as the Firewall Feature-set and you need a special version of the IOS to do this.

The following configuration shows, step by step, how to configure the Cisco IOS router as a MS PPTP VPN server. The goal of this configuration is so that you can take all the defaults of the VPN client in Windows XP. All you will have to do is add a new connection, provide the name (or IP address) of the VPN server, and your username/password. Figure A shows your network will look like, in the end.

On the Cisco IOS router

First you must make some changes on your router. First, you must enable VPDN (virtual private dial-up networking). This is used for VPN client connectivity, as opposed to site-to-site, always up, VPN connectivity. To do so use this command:

Router(config)# vpdn enable

Create a VPDN group configured to PPTP, just like the Microsoft VPN client will use, by default:

Router(config)# vpdn-group TEST-VPN

Router(config-vpdn)# accept-dialin

Router(config-vpdn)# protocol pptp

Router(config-vpdn)# virtual-template 1

Router(config-vpdn)# exit

Here, we will configure our interfaces to match the diagram. Naturally, your IP address configuration will vary:

Router(config)# interface ethernet0/0

Router(config-if)# ip address 10.253.15.19 255.255.0.0

Router(config-if)# no shutdown

Router(config)# interface ethernet0/1

Router(config-if)# ip address 10.123.123.123 255.255.255.0

Router(config-if)# no shutdown

Next, create your virtual-template that will apply to the inbound VPN connections. This template references the e0/1 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:

Router(config)# interface Virtual-Template1

Router(config-if)# ip unnumbered Ethernet0/1

Router(config-if)# peer default ip address pool defaultpool

Router(config-if)# ppp encrypt mppe auto required

Router(config-if)# ppp authentication ms-chap ms-chap-v2

Now, create the pool of IP addresses. This pool should not already be in use on the internal network you are connecting to:

Router(config)# ip local pool defaultpool 10.123.123.1 10.123.123.10

After that, create a test user:

Router(config)# username test password 0 test

Finally, configure authentication for PPP to use the local database. If you had a RADIUS server, this where you would point to the RADIUS server instead of the local database:

Router(config)# aaa new-model

Router(config)# aaa authentication ppp default local

The complete configuration looks like this:

username test password 0 test

aaa new-model

!

!

aaa authentication ppp default local

!

vpdn enable

!

vpdn-group TEST-VPN

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

interface Ethernet0/0

ip address 10.253.15.19 255.255.0.0

no shutdown

interface Ethernet0/1

ip address 10.123.123.123 255.255.255.0

no shutdown

!

interface Virtual-Template1

ip unnumbered Ethernet0/1

peer default ip address pool defaultpool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip local pool defaultpool 10.123.123.1 10.123.123.10

Windows client

To connect to the new PPTP VPN server from a Windows workstation, click Start | Control Panel | Network Connections. Click on New Connection Wizard. Click Next on the welcome screen. Select Connect to a network at my workplace as shown in Figure B.

Figure B

Next, select Virtual Private Network Connection as shown in Figure C.

Figure C

You'll then see the Connection Name screen. Type in a name for the VPN Connection in the Company Name field as shown in Figure D. Click Next to continue.

Figure D

Next, the VPN Server Selection screen appears. Type in the IP address or hostname for the VPN server (your IOS router's interface) into the Host name field. In our case, this is 10.253.15.19 as you can see in Figure E.

Figure E

Take the default on the next screen (that this is for anyone's use) and click Next. Click Finish on the next screen. When done, you will see the screen shown in Figure F below. Type in your test username (test) and test password (test).

Figure F

Click Connect.

Once connected, you should see the VPN icon in your Windows tray, at the bottom right of your screen. If you open the VPN connection and click on details, you should see that you received an IP address from the pool, as seen in Figure G.

Figure G

You should be able to ping the LAN side of the router (the inside, private network) and any host on that network.

That's it!

The configuration is complete. Hopefully, you can take this configuration and fit it to your network, blending it with your personal Firewall, NAT, and active directory configuration.

Print/View all Posts Comments on this article

VPN server on Cisco 871 dthomason119@... | 05/11/07

CISCO PPTP VPN through NAT le_viet@... | 07/15/07

Please post an answer quantumriff@... | 07/17/07

what is your actual question joshgibson82@... | 12/20/07

router with right ios for vpn bhanshali@... | 12/20/07

Router or Ruter edelegate@... | 09/12/08

RE: Using a Cisco IOS ruter as a VPN server aelray@... | 09/10/08

Error NetMan1958 | 09/10/08

RE: Error aelray@... | 09/10/08

Well, the reason I asked NetMan1958 | 09/10/08

Maybe this will help NetMan1958 | 09/10/08

re aelray@... | 09/10/08

hmmmmm. NetMan1958 | 09/10/08

name of the beast aelray@... | 09/10/08

Stickler NetMan1958 | 09/10/08

not working aelray@... | 09/10/08

AHA! NetMan1958 | 09/10/08

still not working aelray@... | 09/11/08

I was afraid of that NetMan1958 | 09/11/08

hmm aelray@... | 09/11/08

little problem still aelray@... | 09/12/08

Oddly enough NetMan1958 | 09/11/08

Connecting from PC NetMan1958 | 09/12/08

Success! NetMan1958 | 09/11/08

thanks aelray@... | 09/12/08

still a little problem aelray@... | 09/12/08

Sorry about that NetMan1958 | 09/12/08

worked out aelray@... | 09/12/08

Accessing shares NetMan1958 | 09/12/08

shares aelray@... | 09/12/08

Post your current config NetMan1958 | 09/12/08

config aelray@... | 09/12/08

Looks good to me NetMan1958 | 09/12/08

ping aelray@... | 09/12/08

That's a good sign NetMan1958 | 09/12/08

as predicted aelray@... | 09/12/08

Another question NetMan1958 | 09/12/08

network aelray@... | 09/12/08

Perplexing NetMan1958 | 09/12/08

pinging aelray@... | 09/12/08

What is the IP Address NetMan1958 | 09/12/08

ip address aelray@... | 09/12/08

One more test NetMan1958 | 09/12/08

tracert aelray@... | 09/12/08

IP Address NetMan1958 | 09/12/08

ip address aelray@... | 09/12/08

There must be NetMan1958 | 09/12/08

isn't it aelray@... | 09/12/08

Subnets NetMan1958 | 09/12/08

no firewall aelray@... | 09/12/08

Here's an article NetMan1958 | 09/12/08

firewall aelray@... | 09/12/08

Let's do some debugging NetMan1958 | 09/13/08

debug aelray@... | 09/14/08

The router is forwarding NetMan1958 | 09/14/08

output aelray@... | 09/14/08

I see 2 issues NetMan1958 | 09/14/08

Temporary route NetMan1958 | 09/14/08

Thanks a lot! aelray@... | 09/14/08

RE: Using a Cisco IOS ruter as a VPN server k_kamlesh2005@... | 12/24/08

VPN Client Problem chad@... | 04/14/09

RE: Using a Cisco IOS ruter as a VPN server benny108 | 01/22/10