?
Solved

Cisco IOS Router with L2TP remote-access, RAIDUS authentication and Windows clients

Posted on 2014-02-16
3
Medium Priority
?
1,817 Views
Last Modified: 2014-02-28
I'm trying to get my Cisco 2811 to function as an L2TP Remote Access VPN server for Windows Clients using the built-in Networking (not Cisco VPN Client) with RADIUS authentication using a connection to my Windows domain controller  (running NAP).

Some guides suggest a configuration using dynamic crypto map and an isakmp client policy.

Other guides suggest using vpdn with a virtual-template interface.

I can get neither to work.

Does anyone have a *WORKING* configuration including Router config and Windows client configuration?
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 2000 total points
ID: 39864259
Try this:

aaa new-model
!
aaa authentication ppp default group radius
aaa authorization network default if-authenticated
!
vpdn enable
!
vpdn-group vpdn-group-l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key key address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set crypto-ts-3dessha1 esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map crypto-dm-l2tp 10
 set nat demux
 set transform-set crypto-ts-3dessha1
 match address acl-l2tp
!
crypto map crypto-map-outside 10 ipsec-isakmp dynamic crypto-dm-l2tp
!
interface LAN interface
 Ip proxy-arp
!
interface WAN interface
 crypto map crypto-map-outside
!
interface Virtual-Template1
 ip unnumbered LAN interface
 peer default ip address pool default
 ppp mtu adaptive
 ppp authentication ms-chap-v2 ms-chap chap
!
ip local pool default x.x.x.x x.x.x.x
!
ip access-list extended acl-l2tp
 permit udp any eq 1701 any
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key key
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39864265
Windows client configuration is default, except that the crypto isakmp key used above needs to be manually configured in the client's dial-up profile.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39895354
In the Window VPN client configuration, Security tab:

Type: L2TP/IPsec
Advanced Settings: <key used in "crypto isakmp key">

Allow these protocols:
CHAP, MS-CHAP-V2 (I have "user Windows logon" checked as well).
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question