5

I have a Cisco 877 router which connects my network to the Internet using an ADSL line, a single public IP address and NAT; the IOS version is 15.

Everything is working ok, but I'd like to configure this router to be a VPN server, to be able to connect to the network from the outside.

I've tried looking for documentation, but everything I can find is related to having the 877 act as a VPN client, or to site-to-site VPNs; I can't find anything about letting single remote computers access the internal network, which is something I can do quite easily using Windows' RRAS or ISA Server.

  • Can the Cisco 877 act as a VPN server for remote client computers? (Looks like it should, but just to be sure...)
  • Which type of VPNs does it support? Do they require some special software on the client machines, or can they be used by standard out-of-the-box Windows computers?
  • And, finally: how to set up this?

Edit:

I know the 877 is a SOHO router, and it's not the best choice as a VPN server; but this is my home network, I only have one computer (for now) and I'm the only user. I'm definitely not going to buy an enterprise-grade router just to be able to reach my PC when I'm at work :-p

Edit 2:

I'm really stuck with this, after many tests I was never able to get it to work. I'm adding a bounty to the question, which will be awarded to a fully working solution (not to some pointer to cryptic Cisco documentation or unrelated scenarios).

In order to allow people to help, here's my current router configuration (stripped of non-relevant and private details). Let's hope someone finally can help me get this working.

Main points:

  • The four Ethernet interfaces are all assigned to VLAN 1.
  • Internal network is 192.168.42.0/24, router's IP address is 192.168.42.1.
  • External IP address is supplied by ISP; it's a public and static one, fully routable.
  • NAT is (of course) enabled.
  • ADSL connection works OK.
  • The router is the DNS server for the internal network, forward queries to the ISP's DNS.
  • There is no DHCP server in the network.
  • There is a single user account with privilege level 15.

What I want:

  • The router acting as a VPN server, enabling external clients to access the internal network.
  • L2TP would be preferred, but even PPTP would be ok.
  • If possible, I want this to work with Windows' built-in VPN client (which supports PPTP and L2TP); I don't want to install Cisco VPN client or anything like that on external computers in order for them to be able to connect.

Here's the config:

version 15.0

service password-encryption

hostname Cisco877

aaa new-model

aaa authentication login default local
aaa authorization console
aaa authorization exec default local

aaa session-id common

ip source-route
ip cef
ip domain name <my ISP's DNS name>
ip name-server <my ISP's DNS server>
no ipv6 cef

password encryption aes

username <Router's username> privilege 15 secret 5 <The encrypted password for my user account>

ip ssh version 2

interface ATM0
 no ip address
 no atm ilmi-keepalive

interface ATM0.1 point-to-point
 pvc 8/75
  encapsulation aal5mux ppp dialer
  dialer pool-member 1

interface FastEthernet0
 spanning-tree portfast

interface FastEthernet1
 spanning-tree portfast

interface FastEthernet2
 spanning-tree portfast

interface FastEthernet3
 spanning-tree portfast

interface Vlan1
 ip address 192.168.42.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly

interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username <My ISP's username> password 7 <The encrypted ISP password>

ip forward-protocol nd

ip dns server

ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0

access-list 1 permit 192.168.42.0 0.0.0.255

dialer-list 1 protocol ip permit
Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Did you read any of the links I had in my answer? The first two are probably the only ones you need in this case and should still be exactly what you need. The second link is a PDF from Cisco that tells you how to setup an 877 as the head end? I'm not sure how to provide a better answer than those links... – Webs Apr 08 '10 at 20:07
  • 1
    I had already found the document in your second link before posting the question; it analyzes two VPN scenarios: in the first the router connects to a remote VPN server and lets local users access the remote network, and the second is a site-to-site VPN. There's nothing there about it *being a VPN server*. The last link seems promising, though. – Massimo Apr 08 '10 at 20:20
  • Starting on pg. 69 of that document in the second link should be what you need. The first 7 bullets should all be done on the server or head end, the last bullet would be what you do on the client. At least that is how I read the document. If you do not want to take down your 877 while attempting this configuration you could try http://dynagen.org/ and see if it works in that environment. If so then just apply same commands to your setup. – Webs Apr 08 '10 at 21:21
  • I'm sorry, but please look at picture 6.1: the Cisco 870 router is being used to *connect* to a central VPN server. The text isn't quite clear on this, but it just doesn't look like it's explaining the *server* configuration... – Massimo Apr 09 '10 at 05:02
  • 1
    @MAssimo: You're making me wonder if it's worth buying a Cisco 877 secondhand to play around w/ this to get the 500 pts bounty... >smile – Evan Anderson Jun 29 '11 at 21:11
  • @Evan: aren't you satisfied *yet* with your rep? >grin – Massimo Jun 29 '11 at 21:12
  • 1
    @Massimo: Chopper3 is getting awfully close and I'm getting antsy about it. I need to start putting a day a week into Server Fault again to keep the "spread" between us. – Evan Anderson Jun 29 '11 at 21:14
  • you need the correct IOS features, but the 8XX series can do this with limits on speed and encryption. From what I see on my IOS chart (Thanks to the Cisco Engineering staff for sharing), you need c800-Advsecurityk9-mz-15X.X.bin at the minimum (change X's to your revision number). IF you intendon playing with some more advanced features just go for the Adventerprisek9 image. – Random-IT Mar 13 '15 at 19:16

3 Answers3

1

So according to Cisco's website, yes you can have your 877 be a server. But I would highly recommend against it. I setup a VPN solution with the 871 routers connecting to a head end 2800 router and had all kinds of problems. Lower end devices just are not made to handle a lot of simultaneous VPN connections. My recommendation would be to buy a 2800 or 3800 series router with a VPN module. The hardware module will allow for more connections, but will also handle the connections a lot better.

How you want to set it all up and where to put your head end is up to you, but I think having the head end sit on the outside of your network just as your 877 does today is probably the easiest. In the links below you will find a lot of ways to do this, but the easiest is to use a head-end like you have now, but with beefier hardware.

Take out the spaces for those links and search the second one for "Easy VPN".

http://www.cisco.com/en/US/products/sw/secursw/ps5299/

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/857sg_bk.pdf

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr.html

Webs
  • 376
  • 1
  • 9
1

Here's my attempt w/o having a router like this one to actually test on. Add the following to your config:

vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
exit
ip local pool clients 192.168.200.1 192.168.200.127
interface virtual-template 1
encap ppp
peer default ip address pool clients
ip unnumbered vlan1
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap
aaa authentication ppp default local

That should enable VPN dialup (VPDN), create a VPDN group to accept incoming PPTP, create an IP pool to assign to clients, create a virtual-template interface to be assigned to clients, and turn on local authentication for PPP users. MS-CHAP and MPPE encryption will be required (defaults in Windows anyway, I believe).

I'm anxious to see if I get it right on the first try... or, indeed, at all.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I'll test it as soon as I have an external computer available, i.e. tomorrow at work. In the meantime, if you can also find something working with L2TP, it would be *very* nice... where I'm working now there is a firewall which really doesn't like PPTP (much like me >grin<). I can bypass it (and I *will*), but having L2TP also would be optimal. – Massimo Jun 29 '11 at 21:31
  • @Massimo: I've never actually configured L2TP on a Cisco router, so I'm going to opt out of that for right now. I know what you mean re: PPTP. It's _so_ frustrating that it uses GRE instead of just encapsulating the traffic in UDP. SSTP would have been "the bomb" if Microsoft had back-ported it to Windows XP and Windows Server 2003. As it stands SSTP is useless to me until I can get my Customers to ditch Windows XP clients (which will, apparently, be in like 2025). – Evan Anderson Jun 29 '11 at 21:33
  • I'll test it tomorrow; but I think I can already spot a couple of problems (apart from an "ambiguous command" error on the "ppp auth ms-chap" line, which should be *authentication* or *authorization*... I'd guess "autentication" is right?). – Massimo Jun 29 '11 at 22:15
  • 1) If I configure the client to use this VPN as its default gateway, it will not be able to access the Internet; for this to work, the 192.168.200.x address pool should be configured as an "inside" part of the NAT... – Massimo Jun 29 '11 at 22:16
  • 2) If I don't configure the VPN interface as the client's default gateway (which I actually *don't* want to), then how will it know it can reach the 192.168.42.0/24 network via its 192.168.200.x address? Shouldn't it need a static route for this? Can the router supply it? – Massimo Jun 29 '11 at 22:17
  • @Massimo: Yeah-- that should be "authentication". I changed the post. Embarassing. I think the "ip unnumbered vlan1" in the virtual-template configuration will make the VPN `inside` NAT already. I would find it hard to believe that the router can supply the static route to the 192.168.42.0/24 network, though. That's going to be a bummer. – Evan Anderson Jun 29 '11 at 23:48
  • I've got it to (sort of) work, but I'm having two very strange problems: 1) authentication only works if I use "password" in the user account definition, with "secret" it fails; and 2) encryption doesn't work *at all*, if the client is configured to require it (as default) it doesn't connect, if I disable the requirement it connects, but it *shouldn't*, as the *router* is configured to requie it too. I'm completely puzzled. – Massimo Jun 30 '11 at 21:06
  • Also, I had to change the IP address pool to some LAN addresses (192.168.42.x), otherwise routing was not working: the client was getting a 192.168.200.x address, but then (as expected) it didn't know how to reach 192.168.42.0/24. I'm wondering if it's possible to supply it a static route... – Massimo Jun 30 '11 at 21:07
  • @Massimo: I'm not aware of any way to supply a static route to the client. Windows RRAS would supply a static route via a DHCP CIDR route option when the RRAS machine pulled DHCP on behalf of the remote client. I don't see anything like that in your future for this configuration. That is puzzling re: encryption. Did you sniff the traffic and see that it's not negotiating encryption when the client does connect? – Evan Anderson Jul 01 '11 at 05:09
  • Yes, I sniffed it and I can confirm that if encryption is enabled on the client side, PPP tries to negotiate it and fails; if it's disabled, this doesn't happen and the connection gets established (although, based on the router's configuration, it *shouldn't*). – Massimo Jul 01 '11 at 12:42
  • The IPs in the IP ADDRESS POOL still have to transit the router/firewall. That means it has to apply them to an interface. If you want them to have their own IP space then you have to put in an access list somewhere allowing them to go from the outside to the inside. "access-list OUTSIDE permit ip 192.168.200.0 255.255.255.0 any" and apply it to the outside interface. – Mark Jul 01 '11 at 13:16
  • @Mark, that is ok, but how do I tell the *client* "in order to reach 192.168.42.0/24 you should use this VPN connection"? I.e. how can I supply clients a static route to my LAN? – Massimo Jul 01 '11 at 13:24
  • When your client is running VPN all traffic goes out the VPN. That should work by default. If you only want 192.168.42/24 network to be routed that way by the client you apply your ACL 1 to the "interface virtual-template 1". – Mark Jul 01 '11 at 16:54
1

I was finally able to make it work using Evan's great support and this page.

I'm posting the complete configuration here and I'm accepting this answer to leave it as a reference, but of course the bounty is going to Evan :-)

This is what needs to be added to the router's configuration in order to enable PPTP and L2TP dial-in VPN access:

aaa authentication ppp default local

vpdn enable
vpdn-group VPN_Clients
 accept-dialin
  protocol any
  virtual-template 1
 no l2tp tunnel authentication

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <IPSEC PRE-SHARED-KEY> address 0.0.0.0 0.0.0.0
crypto ipsec transform-set VPN_TS esp-3des esp-sha-hmac
 mode transport
crypto dynamic-map VPN_DYN_MAP 1
 set nat demux
 set transform-set VPN_TS
crypto map VPN_MAP 1 ipsec-isakmp dynamic VPN_DYN_MAP

interface Dialer0
 crypto map VPN_MAP

ip local pool VPN_POOL 192.168.42.240 192.168.42.249

interface Virtual-Template1
 ip unnumbered Vlan1
 ip nat inside
 peer default ip address pool VPN_POOL
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap chap

Note 1: for authenticating VPN users, you will need to set their passwords with the command username <user> password <password> instead of the more secure username <user> secret <password>, otherwise authentication will fail because MD5-encrypted passwords are not compatible with CHAP; this is documented here.

Note 2: This configuration assigns to VPN clients IP addresses that are part of the inside network; this is the easiest approach, as using a different subnet would require supplying the clients a static route to the LAN. It would indeed be more secure, but for simple access to a home network it's simply not worth the hassle.

Massimo
  • 68,714
  • 56
  • 196
  • 319