cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1545
Views
5
Helpful
11
Replies

ROUTER VPN Access

JLVB83
Level 1
Level 1

Hey folks I have a cisco 1921 router with VPN module installed (my office's old unit).  This is a functionality question as in is what I am thinking of implementing  is even possible.  The structure I would like to implement is:

 

I'm not super versed in VPN's but I was thinking L2TP/IPsec not sure if another protocol would be more secure or not.

 

Router used as VPN server (hopefully utilize VPN module to deal with the encryption) and deal with handing out the IP address' to whatever VLAN I decide to use.

 

Utilize my already existing  RADIUS server (I use it it for my access points) for authentication.  Hopefully I can tell my router to use it too.

 

Have some sort of access list based on MAC addresses similar to my access points.  So only MAC's I know can be allowed in again similar to what I have implemented on my access point.

 

Like I said I may be way off base with some of this and feel free to tell me where I may be wrong.

 

thks

 

 

 

 

 

 

 

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

You would like to use native windows client or any connection? below links help you set up one using a windows native client.

You can achieve this with your Radius, need to do some tweaks based on the working solution, i will start with basic connectivity and working solution and later add MAC address filtering with Radius (AV_Pair?)

 

https://community.cisco.com/t5/security-documents/l2tp-over-ipsec-on-cisco-ios-router-using-windows-8/ta-p/3142831

https://www.youtube.com/watch?v=JL8lh0hq-F4

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Playlist: https://www.youtube.com/playlist?list=PLdtRZtGMukf6uFXIgVLsx67lpGznrPmzX

Hello,

 

the VPDN config looks ok actually. The zone based firewall needs to be amended to reflect the IPSec traffic to the router (self zone). I would also use a local pool with IP addresses that are not part of something else.

 

Add the lines marked in bold:

 

Current configuration : 4875 bytes
!
! Last configuration change at 18:04:09 UTC Sun Nov 7 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username cisco privilege 15 password 7 110A1016141D
!
redundancy
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
!
--> class-map type inspect match-all IPSEC-cmap
--> match access-group name ISAKMP_IPSEC
!
policy-map type inspect OUT_SELF_PM
--> class type inspect IPSEC-cmap
--> pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description loopback for IPsec-pool
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
--> ip local pool l2tp-pool 192.168.2.100 192.168.2.110
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
--> ip access-list extended ISAKMP_IPSEC
--> permit udp any any eq isakmp
--> permit ahp any any
--> permit esp any any
--> permit udp any any eq non500-isakmp
!
radius-server host 10.10.20.7
radius-server key 7 096F4F07180116405B5C57
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

View solution in original post

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

You would like to use native windows client or any connection? below links help you set up one using a windows native client.

You can achieve this with your Radius, need to do some tweaks based on the working solution, i will start with basic connectivity and working solution and later add MAC address filtering with Radius (AV_Pair?)

 

https://community.cisco.com/t5/security-documents/l2tp-over-ipsec-on-cisco-ios-router-using-windows-8/ta-p/3142831

https://www.youtube.com/watch?v=JL8lh0hq-F4

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Playlist: https://www.youtube.com/playlist?list=PLdtRZtGMukf6uFXIgVLsx67lpGznrPmzX

Cool Thks definitely helpful

 

Now My current config also has a firewall on it set up to drop everything coming from the out side I'm assuming I have to make some tweeks to allow a VPN conection, I also had an issue with the:

 

set transform-set L2TP-Set2 L2TP-Set

 

I ended up with

set transform-set L2TP-Set2

will that be a problem

 

 

Current configuration : 4832 bytes
!
! Last configuration change at 15:31:10 UTC Sun Nov 7 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username cisco privilege 15 password 7 110A1016141D
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
!
!
policy-map type inspect OUT_SELF_PM
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback0
description loopback for IPsec-pool
ip address 1.1.1.11 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

 

 

thks

Hey thanks for the link super helpful

 

In my config i have a firewall rules to drop everything incoming just wondering how I would allow an incoming vpn request?

I also got an error when adding the:

set transform-set L2TP-Set2 L2TP-Set

I ended up with:

set transform-set L2TP-Set2

Is this a problem?

 


Current configuration : 4832 bytes
!
! Last configuration change at 15:31:10 UTC Sun Nov 7 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username cisco privilege 15 password 7 110A1016141D
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
!
!
policy-map type inspect OUT_SELF_PM
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback0
description loopback for IPsec-pool
ip address 1.1.1.11 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

OK thks

tuned off my firewall the connection works I will look for a solution to allow VPN connection through it.

Hello,

 

Easy VPN is probably the best solution. If you post the running configuration of your 1921, we can fill in the bits and pieces...

Hey Georg Pauwen:

 

I got the vpn server working for the windows client and my android phone but I would like to use the anyconnect client on my phone if possible.  I also had to turn my firewall off on my outside connection to allow a connection (for testing would like to make firewall rule to allow connection) here is my running-config as it stands I've made some changes to have the connection end up on my VLAN adapter instead of a loopback and i will be attempting to get it to use a raduis server for authentication:

 

Current configuration : 4802 bytes
!
! Last configuration change at 16:41:51 UTC Sun Nov 7 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username cisco privilege 15 password 7 110A1016141D
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
!
!
policy-map type inspect OUT_SELF_PM
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description loopback for IPsec-pool
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 192.168.1.100 192.168.1.110
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

 

 

I posted my config but it keeps on getting removed?

Hello,

 

the VPDN config looks ok actually. The zone based firewall needs to be amended to reflect the IPSec traffic to the router (self zone). I would also use a local pool with IP addresses that are not part of something else.

 

Add the lines marked in bold:

 

Current configuration : 4875 bytes
!
! Last configuration change at 18:04:09 UTC Sun Nov 7 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username cisco privilege 15 password 7 110A1016141D
!
redundancy
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
!
--> class-map type inspect match-all IPSEC-cmap
--> match access-group name ISAKMP_IPSEC
!
policy-map type inspect OUT_SELF_PM
--> class type inspect IPSEC-cmap
--> pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description loopback for IPsec-pool
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
--> ip local pool l2tp-pool 192.168.2.100 192.168.2.110
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
--> ip access-list extended ISAKMP_IPSEC
--> permit udp any any eq isakmp
--> permit ahp any any
--> permit esp any any
--> permit udp any any eq non500-isakmp
!
radius-server host 10.10.20.7
radius-server key 7 096F4F07180116405B5C57
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

Hello Georg Pauwen

 

Thank you for the firewall rules was wondering about that.

 

Oops I forgot to mention that I turned off the zone policy on my :

 

interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in

--> zone-member security outside
duplex auto
speed auto
crypto map outside_map

 

I entered all the lines you added but did not get a VPN connection.   Is there something else needed with that missing line?  The access-list doesn't seem to let me in.  After playing with it a bit I set it up accept a specific IP, I will try to figure out how to allow specific mac addresses.

 

Thks for all your help

 

 

 

 

JLVB83
Level 1
Level 1

Here it is

 


Current configuration : 4875 bytes
!
! Last configuration change at 18:04:09 UTC Sun Nov 7 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username cisco privilege 15 password 7 110A1016141D
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
!
!
policy-map type inspect OUT_SELF_PM
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description loopback for IPsec-pool
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 192.168.1.100 192.168.1.110
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
radius-server host 10.10.20.7
radius-server key 7 096F4F07180116405B5C57
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

JLVB83
Level 1
Level 1


Current configuration : 4875 bytes
!
! Last configuration change at 18:04:09 UTC Sun Nov 7 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
! NVRAM config last updated at 21:22:21 UTC Sat Nov 6 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username cisco privilege 15 password 7 110A1016141D
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
!
!
policy-map type inspect OUT_SELF_PM
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description loopback for IPsec-pool
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 192.168.1.100 192.168.1.110
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
radius-server host 10.10.20.7
radius-server key 7 096F4F07180116405B5C57
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

Review Cisco Networking for a $25 gift card