Published 12-11-2017 15:30:24

hostname VPN

!--- Enable authentication, authorization and accounting (AAA)
!--- for user authentication and group authorization.

aaa new-model

!--- In order to enable Xauth for user authentication, 
!--- enable the aaa authentication commands.

aaa authentication login userauthen local

!--- In order to enable group authorization, enable 
!--- the aaa authorization commands.

aaa authorization network groupauthor local

aaa session-id common

resource policy

!--- For local authentication of the IPsec user, 
!--- create the user with a password.

username user password 0 cisco

!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2

!--- Create a group that is used to specify the
!--- WINS and DNS server addresses to the VPN Client, 
!--- along with the pre-shared key for authentication.

crypto isakmp client configuration group vpnclient
 key cisco123
 pool ippool

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!--- Create a dynamic map and apply 
!--- the transform set that was created earlier.

crypto dynamic-map dynmap 10
 set transform-set myset

!--- Create the actual crypto map,
!--- and apply the AAA lists that were created earlier.

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!--- Create the loopback interface for the VPN user traffic

interface Loopback0
 ip address
 ip nat inside
 ip virtual-reassembly

interface Ethernet0/0
 ip address
 ip nat inside

!--- Apply the crypto map on the interface.

interface FastEthernet1/0
 ip address
 ip nat outside
 ip virtual-reassembly
 ip policy route-map VPN-Client
 duplex auto
 speed auto
 crypto map clientmap

interface Serial2/0
 no ip address

interface Serial2/1
 no ip address

interface Serial2/2
 no ip address

interface Serial2/3
 no ip address

!--- Create a pool of addresses to be 
!--- assigned to the VPN Clients.

ip local pool ippool
ip http server
no ip http secure-server

ip route

!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 101 
!--- and gets PATed with the FastEthernet IP address.

ip nat inside source list 101 interface FastEthernet1/0 overload

!--- The access list is used to specify which traffic is to be translated for the 
!--- outside Internet.
access-list 101 permit ip any any

!--- Interesting traffic used for policy route.

access-list 144 permit ip any

!--- Configures the route map to match the interesting traffic (access list 144)
!--- and routes the traffic to next hop address

route-map VPN-Client permit 10
 match ip address 144
 set ip next-hop