Solved

Cisco IOS Router with L2TP remote-access, RAIDUS authentication and Windows clients

Posted on 2014-02-16
3
1,602 Views
Last Modified: 2014-02-28
I'm trying to get my Cisco 2811 to function as an L2TP Remote Access VPN server for Windows Clients using the built-in Networking (not Cisco VPN Client) with RADIUS authentication using a connection to my Windows domain controller  (running NAP).

Some guides suggest a configuration using dynamic crypto map and an isakmp client policy.

Other guides suggest using vpdn with a virtual-template interface.

I can get neither to work.

Does anyone have a *WORKING* configuration including Router config and Windows client configuration?
0
Comment
Question by:snowdog_2112
  • 2
3 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39864259
Try this:

aaa new-model
!
aaa authentication ppp default group radius
aaa authorization network default if-authenticated
!
vpdn enable
!
vpdn-group vpdn-group-l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key key address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set crypto-ts-3dessha1 esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map crypto-dm-l2tp 10
 set nat demux
 set transform-set crypto-ts-3dessha1
 match address acl-l2tp
!
crypto map crypto-map-outside 10 ipsec-isakmp dynamic crypto-dm-l2tp
!
interface LAN interface
 Ip proxy-arp
!
interface WAN interface
 crypto map crypto-map-outside
!
interface Virtual-Template1
 ip unnumbered LAN interface
 peer default ip address pool default
 ppp mtu adaptive
 ppp authentication ms-chap-v2 ms-chap chap
!
ip local pool default x.x.x.x x.x.x.x
!
ip access-list extended acl-l2tp
 permit udp any eq 1701 any
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key key
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39864265
Windows client configuration is default, except that the crypto isakmp key used above needs to be manually configured in the client's dial-up profile.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39895354
In the Window VPN client configuration, Security tab:

Type: L2TP/IPsec
Advanced Settings: <key used in "crypto isakmp key">

Allow these protocols:
CHAP, MS-CHAP-V2 (I have "user Windows logon" checked as well).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now