Cisco, how to set up a VPN

[ATC]

This article shows how we set up VPN support on one of our routers. Keep in mind that your particular setup may require slightly different configuration.

Our particular solution uses DES encryption, MD5 hashing and pre-shared key authentication. The peer address is unknown, to support roaming connections from anywhere in the world.

I'm assuming that you have already got NAT (masquerading) fully configured and tested.

You may wish to use stronger encryption, but keep in mind that you need a VPN client that supports whatever encryption you use, and not all countries allow stronger encryption than DES. (For example, bringing 3DES equipment into France is considered an act of terrorism. You have been warned.)

[ATC]

Allright. In this example, we will use "MYSECRET" as the shared key string.

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key MYSECRET address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set trans1
!

!
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!      

Now we have to assign our encryption scheme to the EXTERNAL INTERFACE, that is the interface which the VPN requests will arrive through. Don't change any other settings on that interface, just add "crypto map intmap".

interface Serial0
 description Connected to the rest of the world
 crypto map intmap
!

Our VPN clients will be assigned addresses from a pool, make sure these addresses are allowed to pass through any filters that you may have set up, and that your servers allow connections as necessary.

ip local pool ourpool 192.168.2.1 192.168.2.254


Now download and install a VPN client that suits your needs. It must support DES encryption, MD5 hashing and pre-shared-key authentication. We use cisco-secure-vpn-client-1.1-des.zip.