Cisco 877 as a VPN server?
I have a Cisco 877 router which connects my network to the Internet using an ADSL line, a single public IP address and NAT; the IOS version is 15.
Everything is working ok, but I'd like to configure this router to be a VPN server, to be able to connect to the network from the outside.
I've tried looking for documentation, but everything I can find is related to having the 877 act as a VPN client, or to site-to-site VPNs; I can't find anything about letting single remote computers access the internal network, which is something I can do quite easily using Windows' RRAS or ISA Server.
- Can the Cisco 877 act as a VPN server for remote client computers? (Looks like it should, but just to be sure...)
- Which type of VPNs does it support? Do they require some special software on the client machines, or can they be used by standard out-of-the-box Windows computers?
- And, finally: how to set up this?
Edit:
I know the 877 is a SOHO router, and it's not the best choice as a VPN server; but this is my home network, I only have one computer (for now) and I'm the only user. I'm definitely not going to buy an enterprise-grade router just to be able to reach my PC when I'm at work :-p
Edit 2:
I'm really stuck with this, after many tests I was never able to get it to work. I'm adding a bounty to the question, which will be awarded to a fully working solution (not to some pointer to cryptic Cisco documentation or unrelated scenarios).
In order to allow people to help, here's my current router configuration (stripped of non-relevant and private details). Let's hope someone finally can help me get this working.
Main points:
- The four Ethernet interfaces are all assigned to VLAN 1.
- Internal network is 192.168.42.0/24, router's IP address is 192.168.42.1.
- External IP address is supplied by ISP; it's a public and static one, fully routable.
- NAT is (of course) enabled.
- ADSL connection works OK.
- The router is the DNS server for the internal network, forward queries to the ISP's DNS.
- There is no DHCP server in the network.
- There is a single user account with privilege level 15.
What I want:
- The router acting as a VPN server, enabling external clients to access the internal network.
- L2TP would be preferred, but even PPTP would be ok.
- If possible, I want this to work with Windows' built-in VPN client (which supports PPTP and L2TP); I don't want to install Cisco VPN client or anything like that on external computers in order for them to be able to connect.
Here's the config:
version 15.0
service password-encryption
hostname Cisco877
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa session-id common
ip source-route
ip cef
ip domain name <my ISP's DNS name>
ip name-server <my ISP's DNS server>
no ipv6 cef
password encryption aes
username <Router's username> privilege 15 secret 5 <The encrypted password for my user account>
ip ssh version 2
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/75
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface Vlan1
ip address 192.168.42.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username <My ISP's username> password 7 <The encrypted ISP password>
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.42.0 0.0.0.255
dialer-list 1 protocol ip permit
Solution 1:
So according to Cisco's website, yes you can have your 877 be a server. But I would highly recommend against it. I setup a VPN solution with the 871 routers connecting to a head end 2800 router and had all kinds of problems. Lower end devices just are not made to handle a lot of simultaneous VPN connections. My recommendation would be to buy a 2800 or 3800 series router with a VPN module. The hardware module will allow for more connections, but will also handle the connections a lot better.
How you want to set it all up and where to put your head end is up to you, but I think having the head end sit on the outside of your network just as your 877 does today is probably the easiest. In the links below you will find a lot of ways to do this, but the easiest is to use a head-end like you have now, but with beefier hardware.
Take out the spaces for those links and search the second one for "Easy VPN".
http://www.cisco.com/en/US/products/sw/secursw/ps5299/
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/857sg_bk.pdf
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr.html
Solution 2:
Here's my attempt w/o having a router like this one to actually test on. Add the following to your config:
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
exit
ip local pool clients 192.168.200.1 192.168.200.127
interface virtual-template 1
encap ppp
peer default ip address pool clients
ip unnumbered vlan1
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap
aaa authentication ppp default local
That should enable VPN dialup (VPDN), create a VPDN group to accept incoming PPTP, create an IP pool to assign to clients, create a virtual-template interface to be assigned to clients, and turn on local authentication for PPP users. MS-CHAP and MPPE encryption will be required (defaults in Windows anyway, I believe).
I'm anxious to see if I get it right on the first try... or, indeed, at all.
Solution 3:
I was finally able to make it work using Evan's great support and this page.
I'm posting the complete configuration here and I'm accepting this answer to leave it as a reference, but of course the bounty is going to Evan :-)
This is what needs to be added to the router's configuration in order to enable PPTP and L2TP dial-in VPN access:
aaa authentication ppp default local
vpdn enable
vpdn-group VPN_Clients
accept-dialin
protocol any
virtual-template 1
no l2tp tunnel authentication
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <IPSEC PRE-SHARED-KEY> address 0.0.0.0 0.0.0.0
crypto ipsec transform-set VPN_TS esp-3des esp-sha-hmac
mode transport
crypto dynamic-map VPN_DYN_MAP 1
set nat demux
set transform-set VPN_TS
crypto map VPN_MAP 1 ipsec-isakmp dynamic VPN_DYN_MAP
interface Dialer0
crypto map VPN_MAP
ip local pool VPN_POOL 192.168.42.240 192.168.42.249
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
peer default ip address pool VPN_POOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap-v2 ms-chap chap
Note 1: for authenticating VPN users, you will need to set their passwords with the command username <user> password <password> instead of the more secure username <user> secret <password>, otherwise authentication will fail because MD5-encrypted passwords are not compatible with CHAP; this is documented here.
Note 2: This configuration assigns to VPN clients IP addresses that are part of the inside network; this is the easiest approach, as using a different subnet would require supplying the clients a static route to the LAN. It would indeed be more secure, but for simple access to a home network it's simply not worth the hassle.