Configure VPN server on cisco IOS
Most Routers come with a VPN function, and same for Cisco ones. For personal case, a VPN connection to home router may be used for a security connection to home LAN, and also useful to secure your device under a public Wifi.
This section introduces the configs for setting up a VPN access with L2TP/IPSec protocol on Cisco routers.
For convenience, this article use the following prerequisites:
- Global external IP is 18.104.22.168
- L2TP's pre-shared key is "preshared_key"
- User name for connection is "user1" and password is "password1"
Configs in this article is also besed on previous ones
#Start VPN service under L2TP protocol vpdn enable vpdn-group VPN_L2TP-IPsec accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication exit #Create user username user1 password 0 password1 #Set the encryption method crypto isakmp policy 100 encr 3des authentication pre-share group 2 exit crypto isakmp key preshared_key address 0.0.0.0 crypto isakmp keepalive 3600 crypto ipsec transform-set TRANS-SET esp-3des esp-sha-hmac mode transport exit crypto dynamic-map DYNAMIC_MAP 10 set nat demux set transform-set TRANS-SET exit crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic DYNAMIC_MAP #Create a virtual Template interface Virtual-Template1 ip unnumbered Dialer1 ip mtu 1280 ip nat inside ip virtual-reassembly in peer default ip address pool VPN_POOL_ADDR ppp encrypt mppe auto ppp authentication ms-chap-v2 exit #Specify the address pool for VPN clients ip local pool VPN_POOL_ADDR 10.10.10.1 10.10.10.10 ip forward-protocol nd no ip http server no ip http secure-server #Allow traffics from VPN clients access-list 1 permit 10.10.10.0 0.0.0.255
Now the VPN server is up on the router, but obviously, you must specify the IP address of the VPN server, which is also the WAN IP of the router when connecting from outside world.
Many ISPs provide dynamic IP, that is, the WAN IP address may change everytime a dialup session is established or after a certain period of time.
So you may also want a DDNS (Dynamic DNS) service to update the IP binding to a certain domain name, and connect to VPN server with domain name instead of IP address.
Fortunately, there are a few free DDNS available, and they also provide free sub-domain names.
However, register a domain name is easy and not expensive. I'd like to have my own ones so I registered a .com domain with about $5.
Regarding updating DNS records, the DDNS service usually provides some API interface for automatic updates. And automatic updates can also be implemented on the router.
Update MyDNS record automatically
I'm using MyDNS, below is the config codes for updating MyDNS record on my cisco router.
- Domain name is "hexgleam.com"
- MyDNS username is "mydns_user" and password is "mydns_password"
#Create update task ip ddns update method MyDNS HTTP add http://mydns_user:[email protected]/login.html interval maximum 1 0 0 0 #Add update task to Dialer1 interface Dialer1 ip ddns update hostname hexgleam.com ip ddns update MyDNS