As Cisco routers have about 85% of the router market, most businesses today have a Cisco router connecting them to the Internet. So, why not use that router for more than just routing? What if it could be a VPN server to connect roaming users with laptops or home PC's back into your business network? This article will explain to you how to do just that.
A router as a VPN Server?!
Your first objection to using a Cisco router as a VPN server might be that you don't want to have to install the Cisco VPN client software on all the remote PC's. Every Windows PC comes with a VPN client already, so you, like me, probably want to just use that. By using the already installed client, you save on the time it would take to train users to download and configure a different VPN client. Thus, you will use the built-in Microsoft VPN client to connect to our VPN server.
The configuration on your existing Internet router may be complex. This download can't address all the possible configurations you may already have in place.
By the way, for your IOS router to act as a VPN server, at all, you will need the DES or 3DES versions of the IOS. These are the versions that offer encryption, including the PPTP encryption we are using in the configurations below. The DES or 3DES versions will have a k8 or k9 in the filename of the IOS. These features must be licensed from Cisco and are not free, unless you already own that version of the IOS.
For the purposes of this demonstration, we will be using a Cisco 2610 router as a basic PPTP VPN server. We will be demonstrating this using a local username/password database. The functionality is included to have the Cisco router go to a RADIUS server (like Microsoft IAS server) and authenticate with Windows Active Directory (AD) usernames/passwords. That type of configuration would be ideal with any more than a handful of VPN users. However, that configuration is more complex than this entry-level document will cover. For more information is, Cisco has published a document that covers using a Cisco IOS router with a MS IAS server for VPN.
Configuring the router
The biggest question you may have after reviewing this configuration is- how does this fit in with your firewall? Well, you can use a Cisco router as a firewall to with something called CBAC (Context-based access control). This is also known as the Firewall Feature-set and you need a special version of the IOS to do this.
The following configuration shows, step by step, how to configure the Cisco IOS router as a MS PPTP VPN server. The goal of this configuration is so that you can take all the defaults of the VPN client in Windows XP. All you will have to do is add a new connection, provide the name (or IP address) of the VPN server, and your username/password. Figure A shows your network will look like, in the end.
On the Cisco IOS router
First you must make some changes on your router. First, you must enable VPDN (virtual private dial-up networking). This is used for VPN client connectivity, as opposed to site-to-site, always up, VPN connectivity. To do so use this command:
Router(config)# vpdn enable
Create a VPDN group configured to PPTP, just like the Microsoft VPN client will use, by default:
Router(config)# vpdn-group TEST-VPN
Router(config-vpdn)# protocol pptp
Router(config-vpdn)# virtual-template 1
Here, we will configure our interfaces to match the diagram. Naturally, your IP address configuration will vary:
Router(config)# interface ethernet0/0
address 10.253.15.19 255.255.0.0
Router(config)# interface ethernet0/1
address 10.123.123.123 255.255.255.0
Next, create your virtual-template that will apply to the inbound VPN connections. This template references the e0/1 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered Ethernet0/1
Router(config-if)# peer default ip address pool defaultpool
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2
Now, create the pool of IP addresses. This pool should not already be in use on the internal network you are connecting to:
local pool defaultpool 10.123.123.1 10.123.123.10
After that, create a test user:
Router(config)# username test password 0 test
Finally, configure authentication for PPP to use the local database. If you had a RADIUS server, this where you would point to the RADIUS server instead of the local database:
authentication ppp default local
The complete configuration looks like this:
username test password
aaa authentication ppp
! Default PPTP VPDN
ip address 10.253.15.19
ip address 10.123.123.123 255.255.255.0
ip unnumbered Ethernet0/1
peer default ip address pool defaultpool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
ip local pool
defaultpool 10.123.123.1 10.123.123.10
To connect to the new PPTP VPN server from a Windows workstation, click Start | Control Panel | Network Connections. Click on New Connection Wizard. Click Next on the welcome screen. Select Connect to a network at my workplace as shown in Figure B.
Next, select Virtual Private Network Connection as shown in Figure C.
You'll then see the Connection Name screen. Type in a name for the VPN Connection in the Company Name field as shown in Figure D. Click Next to continue.
Next, the VPN Server Selection screen appears. Type in the IP address or hostname for the VPN server (your IOS router's interface) into the Host name field. In our case, this is 10.253.15.19 as you can see in Figure E.
Take the default on the next screen (that this is for anyone's use) and click Next. Click Finish on the next screen. When done, you will see the screen shown in Figure F below. Type in your test username (test) and test password (test).
Once connected, you should see the VPN icon in your Windows tray, at the bottom right of your screen. If you open the VPN connection and click on details, you should see that you received an IP address from the pool, as seen in Figure G.
You should be able to ping the LAN side of the router (the inside, private network) and any host on that network.
The configuration is complete. Hopefully, you can take this configuration and fit it to your network, blending it with your personal Firewall, NAT, and active directory configuration.