Defcon:Blog Keklkakl blog blag

VPN setup on Cisco IOS that works nice with Windows 7 and Linux w/ NetworkManager

I have a Cisco 2691 router running IOS 12.4 series at home currently, and I've been planning to cook up a VPN setup on it that allows me to connect back home, and also to "trombone" my way back out from home. I wanted toe setup to be as short and simple as possible, but still include encrypted communication. Finally, I wanted this to be available using "standard setup" client software on my XUbuntu+NetworkManager laptop, as well as Windows 7.

The "kicker" that made me finally cook this up, was the need to easily demonstrate to a colleague as well as a few students a simple way to do road warrior VPN using a Cisco IOS router as the termination point.

My setup uses Microsoft PPP Extensions to get encrypted communication, and as such it is a form of PPTP VPN.

The important bits to understand this setup is:

• I use the IPv4 range 10.0.5.0/24 (or rather a subset of it) for the VPN clients.
• VPN clients connect to my "Internet" facing address, located on FastEthernet0/0
• All my internal networks, including VPN clients, use NAT with overload (PAT) for IPv4 communication with "the world"

I suppose it should be possible to use a Mac as a client for this setup too, but to be honest, I can't be bothered to check 🙂

aaa authentication ppp VPDN_AUTH local
!
ip name-server 10.0.2.2
!
vpdn enable
!
vpdn-group RoadWarrior
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
username vpntest privilege 7 password 7 053D1601114D5D1A0E550516
!
interface FastEthernet0/0
 description Internet
 ip nat outside
!...
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip nat inside
peer default ip address pool VPNPool
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2 VPDN_AUTH
!
ip local pool VPNPool 10.0.5.2 10.0.5.31
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list standard NAT
 permit 10.0.5.0 0.0.0.255