aaa new-model

Включаем систему аутентификации авторизации и учета событий

aaa authentication login default local

aaa authorization network default local

vpdn enable

Включаем VPN

vpdn-group L2TP

accept-dialin

protocol l2tp

virtual-template 1

lcp renegotiation on-mismatch

no l2tp tunnel authentication

ip pmtu

ip mtu adjust

username testuser privilege 0 password testpass

Добавляем пользователя VPN

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key SECRET_KEY address 0.0.0.0 no-xauth

crypto isakmp keepalive 3600

crypto ipsec transform-set L2TP_SET esp-3des esp-sha-hmac

mode transport

crypto dynamic-map L2TP_MAP 10

set nat demux

set transform-set L2TP_SET

crypto map L2TP_CRYPTO_MAP 10 ipsec-isakmp dynamic L2TP_MAP

interface Loopback1

ip address 172.31.1.1 255.255.255.0

interface GigabitEthernet0/0

description -= WAN =-

ip address XXX.XXX.XXX.2 255.255.255.252

ip nat outside

crypto map L2TP_CRYPTO_MAP

interface GigabitEthernet0/1

description -= LAN =-

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Virtual-Template1

ip unnumbered Loopback1

ip nat inside

peer ip address forced

peer default ip address pool L2TP_POOL

ppp encrypt mppe 40

ppp authentication ms-chap-v2

ppp ipcp dns 192.168.0.1

ip local pool L2TP_POOL 172.31.1.10 172.31.1.250

ip nat inside source list INET_ACL interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1

ip access-list extended INET_ACL

permit ip 192.168.0.0 0.0.0.255 any

permit ip 172.31.1.0 0.0.0.255 any