Configuration Example, Security

Configure VPN client on IOS router

René Jorissen on February 10, 2010 9 Comments • Tags: #access #cisco #client #configure #ios #remote #router #split #splittunneling #tunneling #vpn

One way to remotely access a network is using the Cisco VPN client. Nowadays more and more implementations of SSL VPN are being done and Cisco stopped their development on their VPN client and pushes their Cisco AnyConnect client.

Still the Cisco VPN client is often used to remotely gain access to a network. The Cisco VPN client supports:

  • Windows XP, Vista (x86/32-bit only) and Windows 7 (x86/32-bit only);
  • Linux (Intel);
  • Mac OS X 10.4 & 10.5;
  • Solaris UltraSparc (32 and 64-bit);

The Cisco VPN client is available for download if you have a SMARTnet support contract and encryption entitlements. The client can be used in conjunction with VPN concentrators, PIX and ASA firewall and IOS routers. Below you can find a template configuration for enabling the Cisco VPN client on an IOS router (all used IP addresses and credentials are chosen randomly and don’t represent a real configuration). I used the setup from the picture below:

CiscoVPNClient

The configuration uses the local database to authenticate users and split-tunneling is configured to only encrypt traffic destined for the LAN network. With split-tunneling enabled you still can access all local resources and the internet.

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group booches-vpn-client
key pr3sh@r3dk3y
dns 192.168.1.10 192.168.1.11
domain booches.local
pool vpnpool
acl 110
netmask 255.255.255.0
!
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
!
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
reverse-route
!
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
!
interface FastEthernet0/0
ip address 83.137.194.62 255.255.255.240
ip nat outside
crypto map client-vpn-map
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
ip local pool vpnpool 10.10.1.1 10.10.1.254
!
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. Karen says:

    Hi!
    Can You help me and provide configuration of cisco 881 router as a client for your configuration ?

    thank you

  2. Dear Karen,

    Can’t you use the above configuration snippet or aresome commands not working? This could be due to different software releases.

    René

  3. SaJ says:

    Excellent and simple, worked like a charm..TY..Cheers

  4. Chris says:

    SunVPN is very good VPN service. While the software install and setup isn’t as straightforward and simple as most would like, SunVPN performance is solid, and there are no bandwidth limits on the users. Sophisticated users will appreciate that remote port forwarding is possible, and SunVPN promises to never log data usage and customer habits. The leadership of the company are very pro-privacy and claim to support Net Neutrality is a company ethic. For philosophical reasons alone, SunVPN is a service worth looking at if you are seeking online privacy for your browsing and file downloading habits.
    Its very easy to handle and is useful in various purposes.It is very cheap and affordable and also easy to understand.

  5. Eliam says:

    bonjour merci pour cette configuration mais j’aimerai bien savoir comment configure un vpn ipsec client to site cisco router.

  6. Eliam says:

    bonjour j’aimerai bien savoir comment configure un vpn ipsec client to site cisco router.

  7. René says:

    Dear Eliam,

    I am sorry, but I don’t understand one word French. Could you please ask your question in English? Or Dutch ;-)

  8. T says:

    How do we configure a router from 2800 series to be usable for VPN (so clinets can connect to it and access the LAN behind it) ?

  9. mrblonde says:

    Thanks for the guide, I used it to successfully set up ipsec client access on a cisco 2911 ISR. Thank you!

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.