cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2499
Views
0
Helpful
7
Replies

L2TP over IPSEC VPN creation on a cisco 1941 router

Eduardo Guerra
Level 1
Level 1

My customer has a Cisco 1941 router.and told me to configure VPN server on that router. They have SAP All in one and want to access via this router to that SAP server. They have 3 ISPs and are configured with IP SLA for failover. They need to use Local Router Database user to access the VPN. They want to access form anywhere so, SITE to SITE is discarded. Some one can help?

7 Replies 7

AllertGen
Level 3
Level 3

Hello, .

I think you can try EzVPN technology for it. Instead of static crypto map it uses a dynamic one. So it's a server-client technology. For authentication you can use a local database or even certificates.

About how to deal with 3 ISPs. You can try make a policy map for each interface/IP address. For example: if you get traffic to IP of ISP1 than use a gateway of ISP1 for a response traffic (acl like "permit host IP_ISP host GW_ISP1"). So at this case users can connect to any of this 3 ISPs and if one of them not works they can connect to another (at this case they can ignore a status of IP SLA). You have a few ways how to deal with it on the users side. You can add 3 profiles. Each for each ISP or you can add all 3 IP addresses to the DNS name (but at this case could be some problems).

Best Regards.

Can you help me on deploying your ideas please. I am a little newer on this. Here's the configuration

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BELLCOSBOLPRIMRTR
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool ccp-pool
 import all
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254 
 lease 0 2
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-459894941
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-459894941
 revocation-check none
 rsakeypair TP-self-signed-459894941
!
!
crypto pki certificate chain TP-self-signed-459894941
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34353938 39343934 31301E17 0D313530 31303830 36313335 
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 39383934 
  39343130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  A47EF386 086E47BB 4A8966B7 AE2A2FA2 5600FA7D C725EA9C 63FFFD87 D5B11D0E 
  7D829B83 76B4DB21 C510D67C B443F4DC DC481FED F55C5CCF FAC8E16A 753651BA 
  EF8B3B60 B7990828 4A82889D F2B0FBBD 585950A5 E75C9C73 9DB31857 DD7C8D81 
  F76C1347 09B08DEE C982110B CF3E022D B723DF10 4E8EC087 EE161897 C1FAA21D 
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 
  23041830 1680148C 75F2B131 7D9DD134 E4B03A85 C0C958A4 80D3F530 1D060355 
  1D0E0416 04148C75 F2B1317D 9DD134E4 B03A85C0 C958A480 D3F5300D 06092A86 
  4886F70D 01010505 00038181 00588B5A 3B632A6F 1C52B2A0 06CA3C7F E6AD4E28 
  23AC9158 C116E866 F8EAEC5B 351B0D69 9EED77D4 F9222928 270BEF4C B4EFD967 
  41B3F31B EB65F724 8064FEFD 8F47B7A8 0BDE7A1E 4345B0FB D19B22C3 57E749BB 
  D7D177DF CD6248B1 E785C9CF A17D184B 7974AB06 95926EF3 4FB21654 A264679B 
  326E8037 37D67E70 AB10B125 A0
  quit
license udi pid CISCO1941/K9 sn FGL190223B4
license boot module c1900 technology-package securityk9
!
!
username eguerra privilege 15 secret 5 $1$n1FH$tQum7DCEBDYELIqHTHa5P/
username admin privilege 15 secret 5 $1$ZsKB$RyXBWtM9veBv8D8/RDUgZ.
!
redundancy
!
!
!
!
!
track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
track 30 ip sla 3 reachability
 delay down 1 up 1
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description InsideLAN
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description AXS-Terciaria
 ip address a.a.a.54 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description Cotas1-Primaria
 ip address b.b.b.147 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 description Cotas2-Secundaria
 ip address c.c.c.103 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SALIDA_AXS interface GigabitEthernet0/1 overload
ip nat inside source route-map SALIDA_Cotas1 interface FastEthernet0/0/0 overload
ip nat inside source route-map SALIDA_Cotas2 interface FastEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 190.186.203.1 track 10
ip route 0.0.0.0 0.0.0.0 190.186.164.1 track 20
ip route 0.0.0.0 0.0.0.0 190.181.6.49 track 30
!
ip sla 1
 icmp-echo a.a.a.1
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo b.b.b.1
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo c.c.c.49
ip sla schedule 3 life forever start-time now
ip sla responder
!
route-map SALIDA_AXS permit 10
 match ip address 100
 match interface GigabitEthernet0/1
!
route-map SALIDA_Cotas2 permit 10
 match ip address 100
 match interface FastEthernet0/0/1
!
route-map SALIDA_Cotas1 permit 10
 match ip address 100
 match interface FastEthernet0/0/0
!
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp host x.x.x.179 any eq telnet
access-list 100 permit tcp host x.x.x.179 any eq 443
access-list 100 permit tcp host x.x.x.179 any eq www
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Hi, Eduardo Guerra.

Can you tell how you want connect users to the router server? You want to use default client at the Microsoft/Linux OS? This is why you want use L2TP?

If it for this than you can check this example for configuration your router as L2TP server. But at point 5 (and in the end of point 4) it will be better to use a loopback inteface with a different network from your gi0/0 interface (for example 192.168.30.1 255.255.255.0). At this case you will have much more flexibility with managment of users at the VPN connection (for example it will be much easy to add ACL for closing access to some internal resources).

As for making accesseble all 3 interfaces at some time from the internet you can use this:

ip access-list extended Link-AXS-Terciaria
 remark ------- ACL for route map. Response at AXS-Terciaria Interface -----------
 permit ip host a.a.a.54 any
exit
ip access-list extended Link-Cotas1-Primaria
 remark ------- ACL for route map. Response at Cotas1-Primaria Interface -----------
 permit ip host b.b.b.147 any
exit

ip access-list extended Link-Cotas2-Secundaria
 remark ------- ACL for route map. Response at Cotas2-Secundaria Interface -----------
 permit ip host c.c.c.103 any
exit

route-map LOCAL_POLICY permit 10
 match ip address Link-AXS-Terciaria
 set ip next-hop 190.186.203.1
exit
route-map LOCAL_POLICY permit 20
 match ip address Link-Cotas1-Primaria
 set ip next-hop 190.186.164.1
exit

route-map LOCAL_POLICY permit 30
 match ip address Link-Cotas1-Primaria
 set ip next-hop 190.181.6.49
exit

ip local policy route-map LOCAL_POLICY

BTW after this you can change your IP SLA and use it for checking some resources at the internet with high avaiblety (for example some google resources). It will let your tracks turn off routes in cases when gateway of your ISP is accesseble but internet not works. But it'll be better to change parameters of the IP SLA and tracks if you want check resources at the internet.

PS You has a lot of securety problems. For example there is no ACL 1 at you configuration and you're using it at vty lines. If it not been created it is "permit any any" by default. Also you have line 2 without any protection. This line 2 is also accessevle from the internet like vty lines. Also I don't see that you have a ssh configuration, so your router is accesseble only by telnet.

 

Best Regards.

Finally i used EZVPN, but i have a problem, I Cannot ping or do anything with Inside Network. When I connect to VPN, just can ping to Inside interface but cannot do any ohter thing. Can help on this?

 

Building configuration...
 
Current configuration : 8160 bytes
!
! Last configuration change at 01:29:15 UTC Fri Jul 24 2015 by eguerra
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BELLCOSBOLPRIMRTR
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_2 local 
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool ccp-pool
 import all
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254 
 lease 0 2
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-459894941
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-459894941
 revocation-check none
 rsakeypair TP-self-signed-459894941
!
!
crypto pki certificate chain TP-self-signed-459894941
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34353938 39343934 31301E17 0D313530 31303830 36313335 
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 39383934 
  39343130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  A47EF386 086E47BB 4A8966B7 AE2A2FA2 5600FA7D C725EA9C 63FFFD87 D5B11D0E 
  7D829B83 76B4DB21 C510D67C B443F4DC DC481FED F55C5CCF FAC8E16A 753651BA 
  EF8B3B60 B7990828 4A82889D F2B0FBBD 585950A5 E75C9C73 9DB31857 DD7C8D81 
  F76C1347 09B08DEE C982110B CF3E022D B723DF10 4E8EC087 EE161897 C1FAA21D 
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 
  23041830 1680148C 75F2B131 7D9DD134 E4B03A85 C0C958A4 80D3F530 1D060355 
  1D0E0416 04148C75 F2B1317D 9DD134E4 B03A85C0 C958A480 D3F5300D 06092A86 
  4886F70D 01010505 00038181 00588B5A 3B632A6F 1C52B2A0 06CA3C7F E6AD4E28 
  23AC9158 C116E866 F8EAEC5B 351B0D69 9EED77D4 F9222928 270BEF4C B4EFD967 
  41B3F31B EB65F724 8064FEFD 8F47B7A8 0BDE7A1E 4345B0FB D19B22C3 57E749BB 
  D7D177DF CD6248B1 E785C9CF A17D184B 7974AB06 95926EF3 4FB21654 A264679B 
  326E8037 37D67E70 AB10B125 A0
  quit
license udi pid CISCO1941/K9 sn FGL190223B4
license boot module c1900 technology-package securityk9
!
!
username eguerra privilege 15 secret 5 $1$n1FH$tQum7DCEBDYELIqHTHa5P/
username admin privilege 15 secret 5 $1$ZsKB$RyXBWtM9veBv8D8/RDUgZ.
!
redundancy
!
!
!
!
!
track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
track 30 ip sla 3 reachability
 delay down 1 up 1
!
crypto ctcp 
!
crypto isakmp client configuration group Customers
 key Admin/123
 pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
   match identity group Customers
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA1 
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description InsideLAN
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description AXS-Terciaria
 ip address a.a.a.54 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description Cotas1-Primaria
 ip address b.b.b.147 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 description Cotas2-Secundaria
 ip address c.c.c.103 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_2 192.168.10.10 192.168.10.100
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SALIDA_AXS interface GigabitEthernet0/1 overload
ip nat inside source route-map SALIDA_Cotas1 interface FastEthernet0/0/0 overload
ip nat inside source route-map SALIDA_Cotas2 interface FastEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 a.a.a.1 track 10
ip route 0.0.0.0 0.0.0.0 b.b.b.1 track 20
ip route 0.0.0.0 0.0.0.0 c.c.c.49 track 30
!
ip sla 1
 icmp-echo 190.186.203.1
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 190.186.164.1
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 190.181.6.49
ip sla schedule 3 life forever start-time now
ip sla responder
!
route-map SALIDA_AXS permit 10
 match ip address 100
 match interface GigabitEthernet0/1
!
route-map SALIDA_Cotas2 permit 10
 match ip address 100
 match interface FastEthernet0/0/1
!
route-map SALIDA_Cotas1 permit 10
 match ip address 100
 match interface FastEthernet0/0/0
!
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp host x.x.x.179 any eq telnet
access-list 100 permit tcp host x.x.x.179 any eq 443
access-list 100 permit tcp host x.x.x.179 any eq www
access-list 100 permit ip x.x.x.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit esp any any
access-list 100 permit ahp any any
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device. 
This feature requires the one-time use of the username "cisco" with the 
password "cisco". These default credentials have a privilege level of 15.
 
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN 
CREDENTIALS
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want 
to use. 
 
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE 
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
 
For more information about Cisco CP please follow the instructions in the 
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp 
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 1 in
 transport input telnet ssh
line vty 5 15
 access-class 1 in
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Hi, Eduardo Guerra.

Could you make a traceroute from inside of your network to your VPN client (client should be connected) and show the resault?

Best Regards.

HiAllertGen, I already configured EasyVPN, now seems to be good. Now I have another issue. I want to connect Android smartphones but not sure how to configure on the client side or if i have to do another thing on the router. Please can help?. Last config is here:

Didn't find much info on the internet

Current configuration : 8266 bytes
!
! Last configuration change at 02:27:31 UTC Tue Jul 28 2015 by eguerra
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BELLCOSBOLPRIMRTR
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_3 local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.201 192.168.0.254
!
ip dhcp pool ccp-pool
 import all
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254
!
!
!
ip domain name yourdomain.com
ip name-server 200.105.128.40
ip name-server 200.105.128.41
ip name-server 200.58.160.25
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-459894941
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-459894941
 revocation-check none
 rsakeypair TP-self-signed-459894941
!
!
crypto pki certificate chain TP-self-signed-459894941
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34353938 39343934 31301E17 0D313530 31303830 36313335
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 39383934
  39343130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A47EF386 086E47BB 4A8966B7 AE2A2FA2 5600FA7D C725EA9C 63FFFD87 D5B11D0E
  7D829B83 76B4DB21 C510D67C B443F4DC DC481FED F55C5CCF FAC8E16A 753651BA
  EF8B3B60 B7990828 4A82889D F2B0FBBD 585950A5 E75C9C73 9DB31857 DD7C8D81
  F76C1347 09B08DEE C982110B CF3E022D B723DF10 4E8EC087 EE161897 C1FAA21D
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680148C 75F2B131 7D9DD134 E4B03A85 C0C958A4 80D3F530 1D060355
  1D0E0416 04148C75 F2B1317D 9DD134E4 B03A85C0 C958A480 D3F5300D 06092A86
  4886F70D 01010505 00038181 00588B5A 3B632A6F 1C52B2A0 06CA3C7F E6AD4E28
  23AC9158 C116E866 F8EAEC5B 351B0D69 9EED77D4 F9222928 270BEF4C B4EFD967
  41B3F31B EB65F724 8064FEFD 8F47B7A8 0BDE7A1E 4345B0FB D19B22C3 57E749BB
  D7D177DF CD6248B1 E785C9CF A17D184B 7974AB06 95926EF3 4FB21654 A264679B
  326E8037 37D67E70 AB10B125 A0
        quit
license udi pid CISCO1941/K9 sn FGL190223B4
license boot module c1900 technology-package securityk9
!
!
username eguerra privilege 15 secret 5 $1$n1FH$tQum7DCEBDYELIqHTHa5P/
username admin privilege 15 secret 5 $1$ZsKB$RyXBWtM9veBv8D8/RDUgZ.
username userbellcos privilege 15 secret 5 $1$KWsh$PyUFwkpDEq/ZPA8xq0n.I0
!
redundancy
!
!
!
!
!
track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
track 30 ip sla 3 reachability
 delay down 1 up 1
!
!
!
crypto isakmp client configuration group ClientesVPN
 key Admin/123
 pool SDM_POOL_2
 acl 102
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group ClientesVPN
   client authentication list ciscocp_vpn_xauth_ml_3
   isakmp authorization list ciscocp_vpn_group_ml_3
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA2
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback2
 ip address 192.168.10.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description InsideLAN
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description AXS-Terciaria
 ip address a.a.a.54 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description Cotas1-Primaria
 ip address b.b.b.147 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 description Cotas2-Secundaria
 ip address c.c.c.103 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_2 192.168.10.10 192.168.10.100
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
!
ip nat inside source route-map SALIDA_AXS interface GigabitEthernet0/1 overload
ip nat inside source route-map SALIDA_Cotas1 interface FastEthernet0/0/0 overloa
d
ip nat inside source route-map SALIDA_Cotas2 interface FastEthernet0/0/1 overloa
d
ip route 0.0.0.0 0.0.0.0 a.a.a.1 track 10
ip route 0.0.0.0 0.0.0.0 b.b.b.1 track 20
ip route 0.0.0.0 0.0.0.0 c.c.c.49 track 30
!
ip sla 1
 icmp-echo a.a.a.1
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo b.b.b.1
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo c.c.c.49
ip sla schedule 3 life forever start-time now
ip sla responder
!
route-map SALIDA_AXS permit 10
 match ip address 100
 match interface GigabitEthernet0/1
!
route-map SALIDA_Cotas2 permit 10
 match ip address 100
 match interface FastEthernet0/0/1
!
route-map SALIDA_Cotas1 permit 10
 match ip address 100
 match interface FastEthernet0/0/0
!
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip host x.x.x.179 any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit esp any any
access-list 100 permit ahp any any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 1 in
 transport input telnet ssh
line vty 5 15
 access-class 1 in
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Hello, Eduardo Guerra.

To configure a VPN at the Android you should go to the Settings -> More.. -> VPN. Add a new connection and at the "type" field chose a "L2TP/IPSec PSK". At the lines bellow you should put a data from a "crypto isakmp client configuration group" section.

After connecting it will ask for a username and password. You need to put a data from a "username" section here.

Best Regards.

Review Cisco Networking for a $25 gift card