Solved

Cisco IOS Router with L2TP remote-access, RAIDUS authentication and Windows clients

Posted on 2014-02-16
3
1,567 Views
Last Modified: 2014-02-28
I'm trying to get my Cisco 2811 to function as an L2TP Remote Access VPN server for Windows Clients using the built-in Networking (not Cisco VPN Client) with RADIUS authentication using a connection to my Windows domain controller  (running NAP).

Some guides suggest a configuration using dynamic crypto map and an isakmp client policy.

Other guides suggest using vpdn with a virtual-template interface.

I can get neither to work.

Does anyone have a *WORKING* configuration including Router config and Windows client configuration?
0
Comment
Question by:snowdog_2112
  • 2
3 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39864259
Try this:

aaa new-model
!
aaa authentication ppp default group radius
aaa authorization network default if-authenticated
!
vpdn enable
!
vpdn-group vpdn-group-l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key key address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set crypto-ts-3dessha1 esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map crypto-dm-l2tp 10
 set nat demux
 set transform-set crypto-ts-3dessha1
 match address acl-l2tp
!
crypto map crypto-map-outside 10 ipsec-isakmp dynamic crypto-dm-l2tp
!
interface LAN interface
 Ip proxy-arp
!
interface WAN interface
 crypto map crypto-map-outside
!
interface Virtual-Template1
 ip unnumbered LAN interface
 peer default ip address pool default
 ppp mtu adaptive
 ppp authentication ms-chap-v2 ms-chap chap
!
ip local pool default x.x.x.x x.x.x.x
!
ip access-list extended acl-l2tp
 permit udp any eq 1701 any
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key key
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39864265
Windows client configuration is default, except that the crypto isakmp key used above needs to be manually configured in the client's dial-up profile.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39895354
In the Window VPN client configuration, Security tab:

Type: L2TP/IPsec
Advanced Settings: <key used in "crypto isakmp key">

Allow these protocols:
CHAP, MS-CHAP-V2 (I have "user Windows logon" checked as well).
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now