aaa new-model

Включаем систему аутентификации авторизации и учета событий

aaa authentication login default local

aaa authorization network default local

vpdn enable

Включаем VPN

vpdn-group L2TP

accept-dialin

protocol l2tp

virtual-template 1

lcp renegotiation on-mismatch

no l2tp tunnel authentication

ip pmtu

ip mtu adjust

username testuser privilege 0 password testpass

Добавляем пользователя VPN

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key SECRET_KEY address 0.0.0.0 no-xauth

crypto isakmp keepalive 3600

crypto ipsec transform-set L2TP_SET esp-3des esp-sha-hmac

mode transport

crypto dynamic-map L2TP_MAP 10

set nat demux

set transform-set L2TP_SET

crypto map L2TP_CRYPTO_MAP 10 ipsec-isakmp dynamic L2TP_MAP

interface Loopback1

ip address 172.31.1.1 255.255.255.0

interface GigabitEthernet0/0

description -= WAN =-

ip address XXX.XXX.XXX.2 255.255.255.252

ip nat outside

crypto map L2TP_CRYPTO_MAP

interface GigabitEthernet0/1

description -= LAN =-

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Virtual-Template1

ip unnumbered Loopback1

ip nat inside

peer ip address forced

peer default ip address pool L2TP_POOL

ppp encrypt mppe 40

ppp authentication ms-chap-v2

ppp ipcp dns 192.168.0.1

ip local pool L2TP_POOL 172.31.1.10 172.31.1.250

ip nat inside source list INET_ACL interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1

ip access-list extended INET_ACL

permit ip 192.168.0.0 0.0.0.255 any

permit ip 172.31.1.0 0.0.0.255 any

Рубрикаcisco
Меткиcisco vpn

3 мысли по поводу “VPN Server L2TP-Over-IPsec на Cisco IOS”

  • my.mos.ru:
    31.01.2021 в 01:14

    L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in such operating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported, native L2TP itself is not supported on ASA. The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime.

  • cabinet-mosoblgaz.ru:
    17.04.2021 в 10:02

    Windows clients cannot connect to an Cisco IOS L2TP over IPsec server if a NAT server is used to translate the messages from the router. To enable the connection, connect the router parallelly to the NAT server so that Network Address Translation Traversal (NAT-T) is not required or use an alternate protocol such as Point-to-Point Tunnelling Protocol (PPTP), IPsec, or SSL. When a Windows client connects to an IPsec-enabled Cisco IOS LNS router through a NAT or PAT server and another Windows client connects to the same Cisco IOS LNS router, the first client’s connection is terminated.

  • Kictneet:
    04.05.2021 в 11:23

    I am sorry, I can help nothing, but it is assured, that to you necessarily will help. Do not despair.

Добавить комментарий