Cisco Blog: Configuring a Cisco Router to Accept VPN Connections
This blog has been a long-time-coming as someone asked me quite some time ago to post the simplest way to accomplish this (for a home environment). I hate to admit this, but my home PC (where I get all my email) was hacked since I allowed Microsoft's Remote Desktop Protocol (RDP) and VNC from anywhere on the Internet (very bad idea). That was the end of that - now VPN connections are required to get to my home PC. Well, the simplest way to configure a VPN on a router is to use the Cisco SDM...but Real Cisco Techs™ use the command line :). So here we go:
First thing you need to do is specify an authentication method. Since I'm assuming this is for a home environment, using the local router database is just fine:
Router(config)# aaa authentication login LOCAL_DB local (defines a login method called LOCAL_DB that uses the local DB)
Router(config)# username Jeremy password cisco (creates a user account in the local DB)
Second, you need to define a DHCP pool of addresses for your VPN clients. This is the address range that they will be assigned when they connect. This should be a unique range not in use on your LAN:
Router(config)# ip local pool CLIENT_ADDRESSES 172.30.50.10 172.30.50.20
Next, you have to create an ISAKMP policy. This is a policy that secures Phase 1 of the VPN negotiation. Phase 1 is there to allow you to securely exchange the encryption keys you'll be using for the VPN. Without this phase, someone could sniff your encryption keys and compromise the VPN security:
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encr aes (my preferred encryption: 128-bit AES; fast and secure)
Router(config-isakmp)# authentication pre-share (says that I'll need to type a secret key on the router & VPN client)
Router(config-isakmp)# group 2 (Diffie-helman group 2...super strong keys to lock down Phase 1)
Now, I need to configure a client configuration group. This is what gives the clients their settings (such as DNS server, IP address, etc...).
Router(config)# crypto isakmp client configuration group HOME
Router(config-isakmp-group)# key s3cr3t (the client has to provide this key to connect to the VPN)
Router(config-isakmp-group)# dns 172.30.100.11 (assigns a DNS server to the client)
Router(config-isakmp-group)# domain ciscoblog.com (assigns a DNS suffix to the client)
Router(config-isakmp-group)# pool CLIENT_ADDRESSES (says that this client will get an IP address from the CLIENT_ADDRESS pool)
There is MUCH more you can put under the above config to define things like split tunneling and access control...but that discussion is for another day :)
Next up, we can configure the settings for the IPSEC tunnel (all this stuff until now has been Phase 1, pre-tunnel info). Initially, we must set up a transform set. This defines what level of encryption (scrambling data so people can't read it) and hashing (checking to make sure data doesn't change) we'd like to use:
Router(config)# crypto ipsec transform-set JEREMYS_SET esp-aes esp-sha-hmac
As a fly-by description, the line above sets the VPN encryption to AES 128-bit and uses SHA-1 (160-bit, I believe) hashing. This is what I'd recommend, but you can choose whatever levels you'd like (just hit the ? key to see all your options).
Now we can create a crypto map. A crypto map takes all these settings and sums them together into something we can apply to an interface:
Router(config)# crypto dynamic-map CLIENT_MAP 1 (creates a dynamic map, which is used for remote access clients)
Router(config-crypto-map)# set transform-set JEREMYS_SET (says that this will be the transform set used for clients)
Router(config-crypto-map)# reverse-route (puts the client IP address in the routing table when the client connects)
Router(config)# crypto map JEREMY_VPN client authentication list LOCAL_DB (links authentication method to the VPN)
Router(config)# crypto map JEREMY_VPN isakmp authorization list LOCAL_DB (links authorization settings - what a user can do - to the VPN)
Router(config)# crypto map JEREMY_VPN client configuration address respond (allows router to respond to DHCP requests from clients)
Router(config)# crypto map JEREMY_VPN 100 ipsec-isakmp dynamic CLIENT_MAP (applies the dynamic crypto map to the real crypto map)
FINALLY, we can apply the crypto map to the interface:
Router(config)# interface fa0/1 (my DSL connection interface)
Router(config-if)# crypto map JEREMY_VPN (applies the crypto map from above)
The router is now ready to accept VPN connections. Now that I'm looking back over this, I'm sure it's generated many more questions than it answered...ask away :).
