Config L2TP/IPSec VPN server on cisco IOS

Configure VPN server on cisco IOS

Most Routers come with a VPN function, and same for Cisco ones. For personal case, a VPN connection to home router may be used for a security connection to home LAN, and also useful to secure your device under a public Wifi.
This section introduces the configs for setting up a VPN access with L2TP/IPSec protocol on Cisco routers.


For convenience, this article use the following prerequisites:

  • Global external IP is
  • L2TP's pre-shared key is "preshared_key"
  • User name for connection is "user1" and password is "password1"


Configs in this article is also besed on previous ones

#Start VPN service under L2TP protocol
vpdn enable
vpdn-group VPN_L2TP-IPsec
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication

#Create user
username user1 password 0 password1

#Set the encryption method
crypto isakmp policy 100
    encr 3des
    authentication pre-share
    group 2
crypto isakmp key preshared_key address
crypto isakmp keepalive 3600
crypto ipsec transform-set TRANS-SET esp-3des esp-sha-hmac
    mode transport
crypto dynamic-map DYNAMIC_MAP 10
    set nat demux
    set transform-set TRANS-SET
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic DYNAMIC_MAP

#Create a virtual Template
interface Virtual-Template1
    ip unnumbered Dialer1
    ip mtu 1280
    ip nat inside
    ip virtual-reassembly in
    peer default ip address pool VPN_POOL_ADDR
    ppp encrypt mppe auto
    ppp authentication ms-chap-v2

#Specify the address pool for VPN clients
ip local pool VPN_POOL_ADDR
ip forward-protocol nd
no ip http server
no ip http secure-server

#Allow traffics from VPN clients
access-list 1 permit


Now the VPN server is up on the router, but obviously, you must specify the IP address of the VPN server, which is also the WAN IP of the router when connecting from outside world.
Many ISPs provide dynamic IP, that is, the WAN IP address may change everytime a dialup session is established or after a certain period of time.
So you may also want a DDNS (Dynamic DNS) service to update the IP binding to a certain domain name, and connect to VPN server with domain name instead of IP address.

Fortunately, there are a few free DDNS available, and they also provide free sub-domain names.

However, register a domain name is easy and not expensive. I'd like to have my own ones so I registered a .com domain with about $5.

Regarding updating DNS records, the DDNS service usually provides some API interface for automatic updates. And automatic updates can also be implemented on the router.

Update MyDNS record automatically

I'm using MyDNS, below is the config codes for updating MyDNS record on my cisco router.

  • Domain name is ""
  • MyDNS username is "mydns_user" and password is "mydns_password"
#Create update task
ip ddns update method MyDNS
  add http://mydns_user:[email protected]/login.html
 interval maximum 1 0 0 0

#Add update task to Dialer1
interface Dialer1
    ip ddns update hostname
    ip ddns update MyDNS