Configuring a client-to-site VPN through PPTP on a Cisco router

When configuring up a new Cisco router, turning on the VPN server functionality is a really handy feature to have – but again it’s one of them that you only need once-in-a-while. There are millions of different things that you can tweak – authentication, IP allocation, etc – but I’ll run through how to configure it up for use in a small office environment.

First off, you’ll want to make sure that you have VPN server functionality. Again, this is determined by your IOS image. Check your feature set on the Cisco feature navigator:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Once you’ve done that – on to the configuration. I’ll point out anything that’s worth noting.

Enter configuration mode, set some basic aaa and enable vpdn:

phbrouter#conf t
phbrouter(config)#aaa new-model
phbrouter(config)#aaa authentication ppp default local
phbrouter(config)#aaa authorization network default if-authenticated
phbrouter(config)#vpdn enable
phbrouter(config)#

As mentioned, this is a fairly basic config. You’ll notice that we’re authenticating against the local userlist (which we’ll define later). If you wanted to, you could use RADIUS instead (which is outside the scope of this article! Maybe I’ll cover it some other time!). Next we need to setup a VPDN group, tell it that we accept dialin, define what protocol it should use and which virtual interface template to use for incoming connections (which we’ll do later):

phbrouter(config)#vpdn-group 1
phbrouter(config-vpdn)#accept-dialin
phbrouter(config-vpdn-acc-in)#protocol pptp
phbrouter(config-vpdn-acc-in)#virtual-template 1
phbrouter(config-vpdn-acc-in)#exit
phbrouter(config-vpdn)#exit
phbrouter(config)#

Great! Half way there. The next stage is to create a virtual interface that will be brought up when a user connects. This includes the address allocation and what authentication we want to accept. MS-Chap and MS-Chap v2 is good enough for our purposes:

phbrouter(config)#int Virtual-Template1
phbrouter(config-if)#desc VPN Virtual Interface
phbrouter(config-if)#ip unnumbered FastEthernet0/0
phbrouter(config-if)#peer default ip address pool vpnpool
phbrouter(config-if)#ppp encrypt mppe auto
phbrouter(config-if)#ppp authentication ms-chap ms-chap-v2
phbrouter(config-if)#exit
phbrouter(config)#

You’ll notice that it’ll try to grab an address from a pool (rather creatively) named vpnpool. We’ll define this now – but be sure to change this to a free address range on your network (also big enough to accomodate your number of users):

phbrouter(config)#ip local pool vpnpool 192.168.1.150 192.168.1.160
phbrouter(config)#

The final stage is to define some users. Seeing as we’re going to be using the local userlist, it’s a really good idea to set these users to privilege level 0 (for obvious reasons):

phbrouter(config)#username joebloggs privilege 0 password joebloggsrules
phbrouter(config)#username jackbloggs privilege 0 password brownbear

And you’re finished! You can either use the Cisco VPN Client to connect from remote locations – but I find the in-built Windows ‘Connection Wizard’ is a lot lighter (!) and is more than suffice.

 

** Links

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml