I have a Cisco 877 router at home, and I'm trying to configure it to act as a VPN server in order to be able to connect to my home network when I'm outside; I want it to work with standard Microsoft VPN client software (which supports PPTP and L2TP).
This is the output of the "show version" command:
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 30-Sep-09 08:42 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI6, RELEASE SOFTWARE
The router has quite a basic setup: a single username with privilege level 15, a single VLAN comprising all four Ethernet ports, an ADSL connection to my ISP, an internal IP address of 192.168.42.1/24, an external IP address assigned by my ISP, NAT enabled.
This is my current configuration (stripped of non-relevant or private informations):
service password-encryption
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa session-id common
ip source-route
ip cef
ip domain name <my ISP's DNS name>
ip name-server <my ISP's DNS server>
no ipv6 cef
password encryption aes
username <Router's username> privilege 15 secret 5 <The encrypted password for my user account>
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/75
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface Vlan1
ip address 192.168.42.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username <My ISP's username> password 7 <The encrypted ISP password>
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.42.0 0.0.0.255
dialer-list 1 protocol ip permit
This is the configuration I'm currently testing for PPTP VPN (I'd prefer L2TP, but it looks a lot more complex, so I think it's better to get PPTP working before that):
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool clients
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap-v2 ms-chap
ip local pool clients 192.168.42.250 192.168.42.254
This sort of works, but I'm having some very strange problems with authentication and encryption:
- Authentication only works if I configure user accounts using password instead of secret. That is, my main (and usually only) user account, which uses secret, doesn't work at all; if I create another one using secret, it doesn't work; if I create it using password, it then works. Is this supposed to work this way (and if so, why?), or is this some sort of bug? Why wouldn't secret work for VPN clients authentication?
- Encryption doesn't work at all, even if I'm running a firmware which supports it, and I configured it in the Virtual-Template interface. If I configure my client to require encryption (which is the default), it fails the connection saying the remote endpoint doesn't support it; if I configure it to not require it, it connects succesfully, even if it shouldn't, because the router is configured to require it. What am I missing here?
Also, as a side note: I'm assigning local addresses to VPN clients; but what if I wanted to use other addresses for them and then route them to my local network? I've tried, but the client doesn't get a routing table entry for 192.168.42.0/24, so it can't talk with it. How should this be configured?
Thanks for any help.
